| Sl
No |
Recommendation |
Comment |
|
1 |
Most retail cyber frauds and
electronic banking frauds would be of values less than 1 crore
and hence may not attract the necessary attention of the Special
Committee of the Board. Since these frauds are large in number
and have the potential to reach large proportions, it is
recommended that the Special Committee of the Board be briefed
separately on this to keep them aware of the proportions of the
fraud and the steps taken by the bank to mitigate them. The
Special Committee should specifically monitor the progress of
the mitigating steps taken by the bank in case of electronic
frauds and the efficacy of the same in containing fraud numbers
and values. |
Currently, RBI is only focussing on large
frauds which arise out of loans and advances. What is being
neglected is frauds including cyber crimes committed with or
without the assistance of bank staff and with or without
negligence of banks.
These small frauds affect common people. Cyber
Criminals have been trying to adopt a strategy of effecting
small amount frauds on large number of people so that the
intensity of follow up is low. After introduction of mobile
banking there will be more such micro frauds. RBI and the Banks
cannot ignore the incidence of such frauds.
There is a need for RBI therefore to create a
separate infrastructure for prevention, detection and resolution
of small frauds issues.
Banks have been ignoring the S R Mittal Group
recommendation on obtaining insurance for frauds. RBI should
penalize Banks for not covering themselves with insurance. With
or without insurance, any innocent victim of a Bank fraud should
be protected from the loss by the Bank. |
| 2 |
The activities of fraud
prevention, monitoring, investigation, reporting and awareness
creation should be owned and carried out by an independent group
in the bank. The group should be adequately staffed and headed
by a senior official of the Bank, not below the rank of General
Manager/DGM. |
No Comments. |
| 3 |
Fraud review councils should be
set up by the above fraud risk management group with various
business groups in the bank. The council should comprise of head
of the business, head of the fraud risk management department,
the head of operations supporting that particular business
function and the head of information technology supporting that
business function. The councils should meet every quarter to
review fraud trends and preventive steps taken that are specific
to that business group. |
No Comments |
| 4 |
Various fraud prevention
practices need to be followed by banks. These include fraud
vulnerability assessments, review of new products and processes,
putting in place fraud loss limits, root cause analysis for
actual fraud cases above Rs.10 lakhs, reviewing cases where a
unique modus operandi is involved, ensuring adequate
data/information security measures, following KYC and Know your
employee/vendor procedures, ensuring adequate physical security,
sharing of best practices of fraud prevention and creation of
fraud awareness amongst staff and customers. |
No Comments other than that similar system
should be in place for Small Frauds |
| 5 |
Banks have started sharing
negative/fraudulent lists of accounts through CIBIL Detect.
Banks should also start sharing the details of employees who
have defrauded them so that they do not get hired by other
banks/financial institutions |
Functioning of CIBIL has not been in
accordance with the Privacy norms accepted world wide. Often
honest Customers are penalized by a Bank reporting the credit
and not reporting repayments. Accountability should be fixed for
such lapses.
Every customer whose data is shared with CIBIL
should be individually informed of the data shared and should be
provided continuous free access to the information in CIBIL
hands so that its accuracy can be checked directly by the data
owner.
In case the data owner reports any errors,
there should be a system in place to correct the inaccuracies.
There are many instances of Banks misusing DRT
and trying to knock of immovable properties in collusion with
criminals.
RBI does not have a proper mechanism to
control the misuse of DRT. A solution should be found for this
menace of Banks committing frauds on Customers.
Similar frauds are committed by Banks on
personal loan customers and credit card customers. "Fraud
Management" at RBI should take such frauds also into
consideration.
RBI may for this purpose dedicate an officer
who can act as an "Ombudsman for Loan Disputes" |
| 6 |
Quick fraud detection capability
would enable a bank to reduce losses and can also serve as a
deterrent to fraudsters. Various important requirements
recommended in this regard include setting up a transaction
monitoring group within the fraud risk management group, alert
generation and redressal mechanisms, dedicated e-mail id and
phone number for reporting suspected frauds, mystery shopping
and reviews |
No Comments |
| 7 |
Banks should set up a transaction
monitoring unit within the fraud risk management group. The
transaction monitoring team should be responsible for monitoring
various types of transactions, especially monitoring of
potential fraud areas, by means of which, early alarms can be
triggered. This unit needs to have the expertise to analyse
transactions to detect fraud trends. This unit should work in
conjunction with the data warehousing and analytics team within
banks for data extraction, filtering, and sanitisation for
transaction analysis for determining fraud trends. Banks should
put in place automated systems for detection of frauds based on
advanced statistical algorithms and fraud detection techniques |
This is an urgent requirements. This requires
upgradation of software. Software suppliers must be held
responsible for providing regular updates in terms of fraud
management and legal compliance. Current software supplied by
otherwise reputed brands are deficient in this respect and a
time bound plan to replace such software should be initiated. |
| 8 |
It is widely accepted that fraud
investigation is a specialised function. Thus, the fraud risk
management group should undergo continuous training to enhance
its skills and competencies |
No Comments |
| 9 |
Apart from the categories of
fraud that need to be reported as per RBI circular dated July 2,
2010 , it is recommended that this should also include frauds in
the electronic channels and the variants of plastic cards used
by a bank and its customers for concluding financial
transactions |
RBI in response to a recent RTI application
replied that they are not classifying the frauds particularly of
the Phishing types and clubbing them all with credit card
frauds. Hopefully in future the reporting system is suitably
modified. |
| 10 |
It has been noted that there is
lack of uniformity regarding the amount of fraud to be reported
to RBI. Some banks report the net loss as the fraud amount (i.e.
fraud amount minus recovery), while others report the gross
amount. Some do not report a fraud if the entire amount is
recovered. In the case of credit card frauds, some banks follow
the practice of reporting the frauds net of chargeback credit
received while others report the amount of the original
transactions. To overcome such inconsistency, a uniform rule of
reporting amounts involved in frauds is being recommended |
RBI has been lenient on Banks defaulting in
providing appropriate FMR returns. Situation should be corrected
with some penalties for improper or lack of reporting.
The Board should be held responsible for non
reporting of frauds as per RBI guidelines. |
| 11 |
A special mention needs to be
made here of frauds done by collusive merchants who use
skimmed/stolen cards on the POS terminals given to them by banks
and then abscond with the money before the chargeback is
received on the transaction. Many banks do not report such cases
stating that the banks which have issued the cards are the ones
impacted. However, in these cases, the merchants cause undue
loss to the bank, by siphoning off the credit provided. Hence
such cases should be reported as frauds |
Where there is more than one Bank which is
involved the fraud reporting mechanism can include reporting
from both ends with appropriate mechanism for marking contra.
This would help in the identification of lack of reporting by
any of the banks and the resposnible official should be
penalized. |
| 12 |
Also, it has been observed that
in a shared ATM network scenario, when the card of one bank is
used to perpetrate a fraud through another banks' ATM, there is
a lack of clarity on who should report such a fraud. It is the
bank acquiring the transaction that should report the fraud. The
acquiring bank should solicit the help of the issuing bank in
recovery of the money. |
Same as above |
| 13 |
In the case of online frauds,
since the jurisdiction is not clear, there is ambiguity on where
the police complaint should be filed and customers/banks have to
shuttle between different police units on the point of
jurisdiction. Cybercrime cells are not present in every part of
the country. The matter of having a separate cell working on
bank frauds in each state police department authorised to
register complaints from banks and get the investigations done
on the same needs to be taken up with the respective police
departments |
In all events of frauds in the Banking
system, it is the bank which should file a Police complaint with
or without the customer also filing a report. This has been the
suggestion of the earlier Fraud guidelines from RBI and often
not implemented in practice. Any Branch manager who fails to
file a police complaint in respect of any fraud reported by
either a Phishing victim or a Credit Card victims should be
penalized. |
| 14 |
Customer awareness is one of the
pillars of fraud prevention. It has been seen that alert
customers have enabled prevention of several frauds and in case
of frauds which could not be avoided, helped in bringing the
culprit to book by raising timely alerts. Banks should thus aim
at continuously educating its customers and solicit their
participation in various preventive/detective measures. It is
the duty of all the groups in banks to create fraud risk
awareness amongst their respective customers |
No Comments. Specific comments have already
been made while discussing the customer education related
suggestions under Chapter VIII |
| 15 |
Employee awareness is crucial to
fraud prevention. Training on fraud prevention practices should
be provided by the fraud risk management group at various forums |
No Comments. |
| 16 |
A positive way of creating
employee awareness is to reward employees who have gone beyond
their call of duty, and prevented frauds. Awards may be given to
employees, who have done exemplary work in preventing frauds.
Details of employees receiving such awards may be published in
the fraud newsletters |
No Comments. Same time, negligence and apathy
should be appropriately penalized. |
| 17 |
To enhance investigation skills
of the staff in the fraud risk management group, a training
institute for financial forensic investigation may be set up by
banks under the aegis of IBA |
No Comments |
| 18 |
The experience of
controlling/preventing frauds in banks should be shared between
banks on a regular basis. The standing forum provided by the
Indian Bank's Association (IBA) can be used to share best
practices and further strengthen internal controls at the
respective ban |
No Comments. Specific suggestions have been
made under Chapter VIII. |
| 19 |
There should be a general
agreement on the process among all banks to refund monies lying
in a fraudulent beneficiary's account |
Banks cannot enrich themselves with the
residual fraud proceeds. There is no excuse for retaining any
part of the money identified as fraud proceeds. Though Banks and
RBI may not like it, keeping stolen property is always an
offence and such act will expose the personnel of Banks to a
criminal liability. Hence the procedure should be to check if
the complainant is an innocent victim who has suffered a
wrongful loss and immediately return the money transferred from
his account. Bank should hold the liability on its own account
until recovery is made through insurance or from the end
fraudster who has used the Bank as a conduit for committing the
fraud. |
| 20 |
There needs to multi-lateral
arrangements amongst banks to deal with on-line banking frauds.
Presently, it is noticed that there is lack of such an
arrangement amongst banks and the customer is required to
interact with different banks/ organizations when more than one
bank is involved. IBA could facilitate such a mechanism |
Customer who has suffered a loss is having a
Banker-Customer relationship with one bank which should alone
deal with the issue. Customer cannot be expected to run behind
other Banks except when he launches a recovery proceeding
against them. Some of the requirements
under Cyber Frauds have a relation with the comments made in
detail under the chapter on "Legal issues".
RBI cannot give any instructions that is
contrarian to legally accepted norms and should be vary of
suggesting a rigid system when it comes to dealing with the
complainant or the law enforcement agencies. This may lead to
Bank officials committing violations of law under the mistaken
impression that their act is sanctioned by or mandated by RBI.
In such cases, RBI itslef may be exposed to the risk of being
held liable for legally untenable procedures. |
| 21 |
At each state, a Financial Crime
Review Committee needs to be set up on frauds along the lines of
Security Committee that has been set up by the RBI to review
security issues in banks with the law enforcement authorities.
The Committee can oversee the creation of awareness by banks
among law enforcement agencies on new fraud types, especially
technology based fraud |
No Comments. |
