Executive summary

In India approximately one percent of high and middle-income group banking customers conducted banking on the Internet in 2000 compared to 5 to 6 percent in Singapore and South Korea. In 2001, a Reserve Bank of India survey revealed that more than 20 major banks were either offering e-banking services at various levels or planned to do so in the near future. Some of the private banks included ICICI Bank, HDFC Bank, IndusInd Bank, IDBI Bank, Citibank, Global Trust Bank, Bank of Punjab and UTI Bank. In the same year, out of an estimated 0.9 million Internet user base, approximately 17 percent were reported to be banking on the Internet. The above statistics reveal that India does have a high growth potential for e-banking. The banks have already started focusing on increasing and improving their e-banking services. As a part of this, the banks have begun to collaborate with various utility companies to enable the customers to perform various functions online .In 2001, over 50 percent of the banks in the US were offering e-banking services .However, large banks appeared to have a clear advantage over small banks in the range of services they offered. Some banks in the US were targeting their Internet strategies towards business customers. Apart from affecting the way customers received banking services; e-banking was expected to influence the banking industry structure. The economics of e-banking was expected to favor large banks because of economies of scale and scope, and the ability to advertise heavily. Moreover, e-banking offered entry and expansion opportunities that small banks traditionally lacked.

Introduction Electronic banking is an umbrella term for the process by which a customer may perform banking transactions electronically without visiting a brick-and-mortar institution. The following terms all refer to one form or another of electronic banking: personal computer (PC) banking, Internet banking, virtual banking, online banking, home banking, remote electronic banking, and phone banking. PC banking and Internet or online banking is the most frequently used designations. It should be noted, however, that the terms used to describe the various types of electronic banking are often use dinter changeably .Electronic banking is an activity that is not new to banks or their customers. Bank shaving been providing their services to customers electronically for years through software programs. These software programs allowed the users personal computer to dial up the bank directly. In the past however, banks have been very reluctant to provide their

customers with banking via the Internet due to security concerns. Today, banks seem to be jumping on the bandwagon of Internet banking. Why is there a sudden increase of bank interests in the Internet? The first major reason is because of the improved security and encryption methods developed on the Internet. The second reason is that banks did not want to lose a potential market share to banks that were quick to offer their services on the Internet. Many of the banks like ICICI, HDFC, IndusInd, IDBI, Citibank, Global Trust Bank (GTB), Bank of Punjab and UTI were offering E-banking services. Based on the above statistics and the analysts comments that India had a high growth potential for e-banking the players focused on increasing and improving their E-banking services. As a part of this, the banks began to collaborate with functions online Why is there a sudden increase of bank interests in the Internet? The first major reason is because of the improved security and encryption methods developed on the Internet. The second reason is that banks did not want to lose a potential market share to banks that were quick to offer their services on the Internet.

E-banking is defined as the automated delivery of new and traditional banking product sand services directly to customers through electronic, interactive communication channels. Ebanking includes the systems that enable financial institution customers. Individuals or businesses, to access accounts, transact business, or obtain information on financial products and services through a public or private network including the Internet, Customers access e-banking services using an intelligent electronic device. The E-banking was firstly introduced in India by the ICICI around 1996. There after many other banks like HDFC, IndusInd bank, IDBI, Citibank Trust Banks, UTI, etc. followed the service. As today private and foreign bank had started capturing the market through e-banking hence the competition is heating up and the lack of technology can make a bank loose a customer so now the public banks are breaking the shackles of traditional set-up and gearing up to face the competition posed by the private sector counterparts

The Global E-Banking Scenario The banking industry is expected to be a leading player in e-business. While the banks in developed countries are working primarily via Internet as non-branch banks, banks in the developing countries use the Internet as an information delivery tool to improve relationship with customers. In early 2001, approximately 60 percent of e-business in the UK was concentrated in the financial services sector, and with the expected 10-fold increase of the British e-business market by 2004, the share of the financial services will further increase. Around one fifth of Finish and Swedish bank customers are banking online, while in the US, according to UNCTAD, online banking is growing at an annual rate of 60 percent and the numbers of online accounts are expected to reach 15 million by 2003.Banks have established an Internet presence with various objectives. Most of them are using the Internet as a new distribution channel. Financial services, with the use of Internet, may be offered in an equivalent quantity with lower costs to the more potential customers. There may be contacts from each corner of the world at any time of day or night. This means that banks may enlarge their market without opening new branches. The banks in the US are using the Web to reach opportunities in three different categories: to market information, to deliver banking products and services, and to improve customer relationship. In Asia , the major factor restricting growth of e-banking is security, in spite of several countries being well connected via Internet. Access to high-quality e-banking products is an issue as well. Majority of banks in Asia are just offering basic services compared with those of developed countries. Still, e-banking seems to have a future in Asia. According to McKinsey survey, ebanking will succeed if the basic features, especially bill payment are handled well. Bill payment was the most popular feature, cited by 40 percent of respondents of the survey. However, providing this service would be difficult for banks in Asia because it requires a high level of security and involves arranging transactions with a variety of players.

In Europe the Internet is accelerating the reconfiguration of the banking industry into three separate businesses: production, distribution and advice. This reconfiguration is being further driven by the Internet, due to the combined impact of the emergence of new, more focused business models. New technological capabilities that reduces banking relationship and transaction costs.

INDUSTRU PROFILE The E-Banking Trends Convergence is one of the clear visible trends in the banking industry. Here, convergence does not mean offering banking, broking and insurance services under one corporate name through the Internet. It covers different dimensions, including channel delivery, sales culture, back-office processes, and the knowledge management infrastructure all being integrated via Internet. Few banks take these different dimensions into consideration. Instead, they view convergence purely as a product-centric development that will enable them to cross-sell products. A strategy that does not go beyond product convergence is bound to have some limitations. For example, imagine a situation where customer service personnel in a so called `converged' bank is required to answer banking, brokerage, and insurance questions coming through multiple channels including the Internet, branches, call centers, or ATMs. This bank is unlikely to succeed since, though it has expanded the product line, it has not made any efforts to broaden the skill sets of the personnel who support these channels .Effective knowledge management is the key to the e-business success of converged banking institutions. However, this requires high level of crossorganizational cooperation and information sharing. An effective knowledge management system will vastly improve the institution's ability to know its customers. Robust customer information management systems at the front-end, coupled with efficient fulfillment processes, can enable banks to shorten the delivery time of their products and services

Successful convergence will help them in the development of a seamless supply chain that will be transparent to the customers. Another trend in e-banking is a shift of focus of banks from being product-centric to customer-centric. Access to the Internet has put wealth management decisions and demand-side technology in customers' hands, and they can dictate the types of products and services they require. While the Internet has enabled banks to deliver desired products/services more quickly and inexpensively, the challenge for them is to enhance customer touch using e-channels, which is very important for client retention. To succeed on the Internet, banks must continually differentiate from their competitors, broaden their market and provide value through their products and services. For example, Wells Fargo had shifted 1.4 million of its traditional banking customers online within five years of the development of its

transactional website. However, the company had maintained its Internet strategy as a complement to existing channels and had found that its e-banking customers were more than 50 percent less likely to leave the bank than non-Internet customers. The bank continued to enter new alliances and expanded its web offerings to maintain its dominant position .Finally, developing just a me-too website would not work for banks. Several banks are creating electronic financial communities in which customers assemble to present and pay bills while satisfying other financial and informational needs. By bringing consumers and vendors together at one site, financial institutions can leverage the trust, clients have in them, and act as the intermediary to ensure billers get paid and consumers get satisfactory services. Last but not the least, banks may conduct periodical surveys and take customer views on the simplicity and ease of operation of their websites and other e- banking initiatives Indian E-banking Scenario As per the international report the banking transactions on a brick and mortar banking costs around $ 1.1. While through ATM it costs around $ 0.27 and just 1 percent of over the counter banking in case of Internet banking. Statistics such as these have woken the Indian Banking Industry. Thus, the Indian banking system is seeing a fabulous change in the quality of service provided by them. Technology is the root of this change, which is implemented by the banks to win more business from customers .Almost all the private sector banks are moving towards eenabling their existing products. HDFC Bank and ICICI Bank have taken a lead in introducing ebanking in India .Internet banking starts from migrating existing products to the net. This started initially with simple functions such as getting information about interest rates, checking account balances and computing loan eligibility. Then the services were extended to online bill payment, transfer of funds between accounts and cash management services for corporate. Recently, banks started setting up payment gateways for B2B and B2Ctransactions. This is to facilitate payment for e-commerce transactions by directly debiting bank accounts or through credit cards. Banks can earn a commission based income, on the transaction or sale value resulting in higher other income. This could be more than the revenues they can generate from credit card transactions Private sector banks have leveraged the Internet effectively in taking away the customers from public sector banks and significantly increased their revenue potential. Internet banking is just one manifestation of these banks technological capabilities. They have a complete automation, an electronic customer database, real time transaction processing

capabilities and the latest technological platforms. Management of these banks is very focused in using technology as a key competitive tool. The capability of the management is also visible in terms of their profitability. Among the private sector banks HDFC Bank and ICICI Bank have excellent returns on equity compared to their peers in the industry.

These banks commenced operations few years and have negligible excess in terms of branches and employees. Therefore unlike most other banks around the world, e-bankingis not an added cost for them. In fact it is expected to contribute significantly to their revenues and profits in years to come.

Who offers what? Citibank

See up-to-date account information View transaction details View account statement for up to 12 months Order demand drafts to couriered free to over 200 locations Order cheque book stop payments Request a deposit Pay utility bills E-mail queries

ICICI Bank Account information summary of account and transactions Bills payment Funds Transfer including third-party transfers Requests for cheque books, stop payment, account opening, Reporting loss of ATMs card Online e-shopping payments Communication with Account Manager

Personalized viewing of content updates personal finance, select articles one-commerce,

HDFC Bank Real-time account information incl. transactions Transfer money between accounts Bill payment facility Third party funds transfer within HDFC bank Request for De, and Draft/Bankers Cheque Stop payment requests Opening fixed-deposit accounts Sending messages to the bank via e-mail Cheque-book Stop payment instructions Opening a fixed deposit Opening a recurring deposit Intimate for the loss of ATM card Register online for phone and mobile banking Cheque status Online application for debit card Issue a DD or a Bankers cheque form account at special rates. Just select the account to be debited form and give details of the amount, location and beneficiary. The demand draft will be couriered to a/c holder at their mailing address. Customers can get their applications for issuance of Letters of Credit and Bank Guarantees processed online Book your Railways Ticket Online Demat Account and Share Trading Demat Account Demat is commonly used abbreviation of Dematerialization, which is a process where by securities like share, debentures are converted from the material (paper documents)unto electronic data and stored in the computer of an electronic Depository. A depository is a security banks, where dematerialized physical securities are held in custody, and form where they can be traded. This facilitates faster, risk-free and low cost settlement. Share Trading In share trading a customer can buy and sell securities online without stepping into a brokers office. Once the share is dematerialized then the trading can be done from home or office. As Demat a/c are directly linked to the customers bank a/c, so there is no need to write Cheque for the payments or to fill up the slips to deposit the Cheque .Amount for the purchase and sale of securities is automatically debited or credited to their bank a/c. it also brings the same convenience while investing in Mutual funds also Hassle free and Paperless

ATMs Automated Teller Machines or 24-hour Tellers are electronic terminals that let you bank almost anytime. To withdraw cash, make deposits, or transfer funds between accounts, you generally insert an ATM card and enter your PIN. Some financial institution and ATM owners charge a fee, particularly to consumers who dont have accounts with them or on transactions at remote locations. Generally, ATMs must tell you they charge a fee and its amount on or at the terminal screen before you complete the transaction. Check the rules of our institution and ATMs you use to find out when or whether a fee is charged. It wont be just if I start explaining what an ATM is. ATMs and cash dispensers are by far the largest investment ever made in electronic selfservice by financial institutions. Over US$ 40 billion has been invested in simply buying these machines and many times that in running them. There are now over 1.1 million machines operating in over 140countries worldwide. The banks are losing the cashiers checks, check cashing and even cash dispensing to the c-stores and grocery stores. They are asleep at the switch and watching more transactions walk away to convenience stores and supermarkets that provide 24 hour access and integrated transactions .ATMs do provide a larger set of functions, such as check cashing, ticket sales or money orders. We already know that cash dispensing as a dedicated function is a sustainable applications, the question is whether that application can be incorporated successfully into a more complex consumer product that offers multiple applications.

It is worth noting that, due to market saturation, overall ATM usage is increasing while transaction volume on a per-ATM basis is now in decline. Cash withdrawal : Withdraw up to Rs.15,000/- per day from your account. Fast cash options provide the facility of withdrawing prefixed amounts. Ultra Fast Cash option allows you to withdraw Rs.3000/- in one shot. Balance Enquiry: Know your ledger balance and available balance Mini Statement: Get a printout of your last 8 transactions and your current balance.

Deposit Cash / Cheques: available at all full function ATMs. Customers can deposit both cash and Cheques. / Cash deposited in ATMs will be credited to the account on the same day (provided cash is deposited before the clearing) and Cheques are sent for clearing on the next working day. Funds Transfer: Transfer funds from one account to another linked account in the same branch. PIN Changes : Change the Personal Identification Number (PIN) of ATM or Debit card. Payments : The latest feature of our ATMs, this functionality can be used for payment of bills, making donations to temples / trusts, buying internet packs, airtime recharges for prepaid mobile phones and much more Others : Request for a checkbook from our ATMs and our concerned branch will dispatch it such that it reaches you within 10 working days. ATM Advantages

24-hour access to cash

E-money E-money may be broadly defined as an electronic store of monetary value on a technical device used for making payments to undertakings other than the issuer on a technical device used for making payments to undertakings other than the issuer on a technical device used for making payments to undertakings other than the issuer without necessarily involving bank accounts in the transaction, but acting as a prepaid bearer instrument (European Central Bank, 1998)These products could be classified in to two broad categories viz. A) Pre-paid stored value card (sometimes called electronic purse) Pre-paid software based product that used computer networks such as internet(sometimes referred to as digital cash or network money)The stored value card scheme typically uses a microprocessor chip embedded in a plastic card while software based scheme typically specialized software installed in a personal computer. The stored value card could be of three types single-purpose card, closed-system or limited-purpose

card could be of three types single-purpose card,closed-system or limited-purpose card and general-purpose or multi-purpose card. The single-purpose card generally with a magnetic chip recording the amount of fund therein is designed to facilitate only one type of transaction e.g telephone calls, public transportation, laundry, parking facilities etc. Here, the distinguishing point is that the issuer and the service provider (acceptor) are identical for the cards. These cards are expected to substitute coins and currency notes. It is important to note that the European Central Bank (ECB) has exempted these single-purpose pre-paid cards from the purview of their policy initiatives on e-money because of their smaller denominations as well as limited risk exposure for customers and the financial system as a whole .The closed-system or the limitedpurpose cards are generally used in a small number of well-identified points of sale within a well-identified location such as

corporate/university campus. EVB has recommended that these cards be subject tom lighter regulations and be issued by credit institutions. The multipurpose card on the other hand can perform variety of functions with several vendors viz., credit card, debit card, stored value card, identifications card ,repository of these cards with respect to regulatory oversight, restrictions on issuers and their implications or monetary policy. These cards may reduce demand for current accounts in the bank for likely reduction in transaction costs, and prudent portfolio management. Phone Banking Now your bank account is now just a phone call away. Through Phone Banking youcan: Check your account balance. Check the last 5 transactions in your account. Enquire on the Cheque status. Have a mini statement faxed across to you. Request for a Cheque book / Account statement. Enquire on your fixed deposits / TDS. Open a fixed deposit Request for Demand Draft / Managers Cheques. Transfer funds amongst your linked accounts Pay utility and HDFC Bank Credit Card bills. Do a stop Cheque payments.

Report loss of your ATM /Debit Card. Product information. Enquire on the interest / Exchange rates. Phone banking facility is available round the clock, everyday, in Mumbai, Delhi, Chennai, Kolkata, Bangalore, Hyderabad, Ahmadabad, Chandigarh and Pune.

E-age Advantages

Security When you use the Phone Banking facilities, your transactions are completely secure. When you open an account with us, you are given a unique Telephone Identification Number (TIN), which is completely confidential. Choose your language You can choose between English and Hindi for guidance through the Interactive Voice Response (IVR) menu of services, at the time of calling the bank. Account derails/balance enquiry Get up-to-the-second details of your Savings or Current Accounts and your fixed Deposits. Get details of the last five transactions (on the IVR), which would be readout to you at the touch of a button,. Whats more, you can even have a mini account statement of the last 9 transactions faxed to you. Cheque book / account statement requests Register a request for statement of accounts for the current period through the IVR and the same will be mailed to you on the next working day. Stop payment requests Stop payment of a cheque, 24 hours a day. You have the facility to stop a single cheque or a series of cheques. Fixed Deposits You can easily open a Fixed Deposit over the phone, by simply authorizing a transfer of funds from your savings Account. The deposits can be opened in the names of the account holders in the funding account. You may also book the Fixed Deposit in your name alone in the funding account. You may also book the Fixed Deposit in your name alone and maintain a sweep-in

facility. You can also enquire about the details- Restrict employees administrative access to ensure that the internal controls limiting their capabilities to originate, modify, or delete bill payment transactions are at least as strong as to the underlying retail payment system ultimately those transmitting the transaction.applicable Restrict

by vendor contract and identify the use of any subcontractors associated with the bill payment application to ensure adequate oversight of underlying bill payment system performance and availability.- Evaluate the adequacy of authentication methods given the higher risk associated with funds transfer capabilities rather than with basic account access.-.. Organization that use third-party software to host a bill payment application internally.- Determine the extent of any independent assessments or certification of the security of application source code.- Ensure software is adequately tested prior to installation on the live system.- Ensure vendor access for software maintenance is controlled and monitored... Organizations that develop, maintain, and host their own bill payment system.- Organizations can offer bill payment as a stand-alone service or in combination with bill presentment. Bill presentment arrangements permit a business to submit a customers bill in electronic form to the customers organization. Customers can view their bills by clicking on links on their accounts e-banking screen or menu. After viewing a bill, the customer can initiate bill payment instructions or elect to pay the bill through a different payment channel. In addition, some businesses have begun offering electronic bill presentment directly from their own websites rather than through links on the ebanking screens of a organization. Under such arrangements, customers can log on to the businesss website to view their periodic bills. Then, if so desired, they can electronically authorize the business to take the payment from their account. The payment then occurs as an ACH debit originated by the businesss organization as compared to the ACH credit originated by then customers organisation in the bill payment scenario described above. Organisations should ensure proper approval of businesses allowed to use ACH payment technology to initiate payments from customer accounts. Cash management applications would include the same control considerations described above, but the Organization should consider additional controls because of the higher risk associated with commercial transactions. The adequacy of authentication methods becomes a higher priority and requires greater assurance due to the larger average dollar size of transactions. Institutions should also establish additional controls to ensure binding agreements consistent with any existing ACH or wire transfer

agreements exist with commercial customers. Additionally, cash management systems should provide adequate security administration capabilities to enable the business owners to restrict access rights and dollar limits associated with multiple-user access to their accounts. Person-to-Person Payments Electronic person-to-person payments, also known as e-mail money, permit consumers to send money to any person or business with an e-mail address. Under this scenario, a consumer electronically instructs the person-to-person payment service to transfer funds to another individual. The payment service then sends an e-mail notifying the individual that the funds are available and informs him or her of the methods available to access the funds including requesting a check, transferring the funds to an account at an insured financial institution, or retransmitting the funds to someone else. Person-to-person payments are typically funded by credit card charges or by an ACH transfer from the consumers account at a financial institution. Since neither the payee nor the payer in the transaction has to have an account with the payment service, such services may be offered by an insured financial institution, but are frequently offered by other businesses as well. Some of the risk issues examiners should consider when reviewing bill payment, presentment, and e-mail money services include .. Potential liability for late payments due to service disruptions, .. Liability for bill payment instructions originating from someone other than the deposit account holder, .. Losses from person-to-person payments funded by transfers from credit cards or deposit accounts over which the payee does not have signature authority, .. Losses from employee misappropriation of funds held pending access instructions from the payer .. Potential liability directing payment availability information to the wrong e-mail or for releasing funds in response to e-mail from someone other than the intended payee

In India, too i-banking has taken roots. A number of banks have set up banking portals allowing their customers to access facilities like obtaining information, querying on their accounts, etc. Soon, still higher level of online services will be made available. Other banks will sooner than later, take to Internet banking. In the above background Reserve Bank of India constituted a

Working Group to examine different issues relating to i-banking and recommend technology, security, legal standards and operational standards keeping in view the international best practices. The Group is headed by the Chief General ManagerinCharge of the Department of Information Technology and comprised experts from the fields of banking regulation and supervision , commercial banking, law and technology. The Bank also constituted an Operational Group under its Executive Director comprising officers from different disciplines in the bank, who would guide implementation of the recommendations. The Working Group, as its terms of reference, was to examine different aspects of Internet banking from regulatory and supervisory perspective and recommend appropriate standards for adoption in India, particularly with reference to the following :1. Risks to the organization and banking system, associated with Internet banking and methods of adopting International best practices for managing such risks .2. Identifying gaps in supervisory and legal framework with reference to the existing banking and financial regulations, IT regulations, tax laws, depositor protection, consumer protection, criminal laws, money laundering and other cross border issues and suggesting

improvements in them. 3. Identifying international best practices on operational and internal control issues, and suggesting suitable ways for adopting the same in India .4. Recommending minimum technology and security standards, in conformity with international standards and addressing issues like system vulnerability, digital signature, information system audit etc .5. Clearing and settlement arrangement for electronic banking and electronic money transfer; linkages between i-banking and e-commerce

6. Any other matter, which the Working Group may think as of relevance to Internet banking in India the first meeting of the Working Group was held on July 19, 2000. The Group held that ibanking did not mean any basic change in the nature of banking and the associated risks and returns. All the same, being a public domain and a highly cost effective delivery channel, it does impact both the dimension and magnitude of traditional banking risks. In fact, it adds new kinds of risk to banking. Some of the concerns of the Regulatory Authority in i-banking relate to technology standards including the level of security and uncertainties of legal jurisdiction etc. Its

cost effective character provides opportunities for efficient delivery of banking services and higher profitability and a threat to those who fail to harness it. The Group decided to focus on above three major areas, where supervisory attention was needed. Accordingly, three sub-groups were formed for looking into three specific areas i. Technology and security aspects, ii. Legal aspects and iii. regulatory and supervisory issues. The Working Group had a number of deliberations.

The views of the Group were crystallized in its report, which cover the following by way of its contents :1. The basic structure of Internet and its characteristics ii. International experience in i-banking, particularly with reference to USA, United Kingdom

and other Scandinavian countries, who are pioneers in this form of banking iii. The Indian Scenario with reference to I-Banking .iv. Different types of risks associated with banking in general and i-banking in particular.

Emphasis is given on normal risks associated with banking which get accentuated when the services are delivered through Internet. Risks relating to money laundering and other cross border transactions are discussed.

v. Technology and security standards are discussed with emphasis onpolicy issuesrather than on products and technical tools.vi. The legal environment in which i-

banking transactions are carried out is animportant regulatory concern. The group has identified gaps in the existing framework and has suggested changes

required.vii. Operational aspects like internal control, early detection system, IT audit,technical manpower, etc are also discussed along with addressing the impact of i- banking on clearing and settlement arrangements.viii. The specific recommendations of the group were given at the end of the report .The report is thus a comprehensive document to covering all aspects/considerations that

Should govern successful delivery of banking services through Internet. The broad submissions on the working group on the above listed items and its recommendations are given in the following articles.

Risk management of wireless-based technology solutions, although similar to other electronic delivery channels, may involve unique challenges created by the current stateof wireless services and wireless devices. Some of these special considerations arediscussed below. Message Encryption Encryption of wireless banking activities is essential because wireless communications can be recorded and replayed to obtain information. Encryption of wireless communications can occur in the banking application, as part of the data transmission process, or both. Transactions encrypted in the banking application (e.g., bank-developed for a PDA ) remain encrypted until decrypted at the institution. This level of encryption is unaffected by the data transmission encryption process. However, banking application-level encryption typically requires customers to load the banking application and its encryption/decryption protocols on their wireless device. Since not all wireless devices provide application-loading capabilities, requiring application level encryption may limit the number of customers who can use wireless services. Wireless encryption that occurs as part of the data transmission process is based upon the device's operating system. A key risk-management control point in wireless banking occurs at the wireless gateway-server where a transaction is converted from a wireless standard to a secure socket layer (SSL) encryption standard and vice versa. Wireless network security reviews should focus on how institutions establish, maintain, and test the security of systems throughout the transmission process, from the wireless device to the institutions systems and back again. For example, a known wireless security vulnerability exists when the Wireless Application Protocol (WAP) transmission encryption process is used. WAP transmissions deliver content to the wireless gate ways ever where the data is decrypted from WAP encryption and re-encrypted for Internet delivery. This is often called the gap-in-WAP (e.g., wireless transport layer security (TLS) to Internet-based TLS). This brief instant of decryption increases risk and becomes an important control point, as the transaction may be viewable in plain text(unless encryption also

occurred in the application layer). The WAP Forum, a group thatoversees WAP protocols and standards, is discussing ways to reduce or eliminate the gap.

WAP security risk. Organizations must ensure effective controls are in place to reduce security vulnerabilities and protect data being transmitted and stored. Under the GLBA guidelines, organizations considering implementing wireless services are required to ensure that their information security program adequately safeguards customer information. Password Security Wireless banking increases the potential for unauthorized use due to the limited availability of authentication controls on wireless devices and higher likelihood that the device may be lost or stolen. Authentication solutions for wireless devices are currently limited to username and password combinations that may be entered and stored in clear text view (i.e., not viewed as asterisks ****). This creates the risk that authentication credentials can be easily observed or recalled from a devices stored memory for unauthorized use .Cellular phones also have more challenging methods to enter alphanumeric passwords. Customers need to depress telephone keys multiple times to have the right character displayed. This process is complicated if a phone does asterisk password entries, as the user may not be certain that the correct password is entered. This challenge may result insures selecting passwords and personal identification numbers that are simple to enter and easy to guess.

Standards and Interoperability The wireless device manufacturers and content and application providers are working on common standards so that device and operating systems function seamlessly. Standards can play an integral role in providing a uniform entry point to legacy transaction systems. A standard interface would allow institutions to add and configure interfaces, such as wireless delivery, without having to modify or re-write core systems. Interoperability is a critical component of mobile wireless because there are multiple device formats and communication standards that can vary the users experience. Wireless Vendors

Organizations typically rely on third-party providers to develop and deliver wireless banking applications. Reliance on third parties is often necessary to gain wireless expertise and to keep up with technology advancements and evolving standards. Third party providers of wireless banking applications include existing Internet banking application providers and as well as new service providers specializing in wireless communications. These companies facilitate the transmission of data from the wireless device to the Internet banking application. Outsourced services may also include emanating product and service delivery to multiple types of devices using multiple communication standards. Institutions that rely on service providers to provide wireless delivery systems should ensure that they employ effective risk management practices. Product and Service Availability Wireless communication dead zones geographic locations where users cannot access wireless systems expose institutions and service providers to reliability and

availability problems in some parts of the world. For some areas, the communications dead zones may make wireless banking an unreliable delivery system. Consequently, some customers may view the institution as responsible for unreliable wireless banking services provided by third parties. A financial institution's role in delivering wireless banking includes developing ways to receive and process wireless device requests Institutions may find it beneficial to inform wireless banking customers that they may en counter telecommunication difficulties that will not allow them to use the wireless banking products and services. Disclosers and Message Limitations The screen size of wireless devices and slow communication speeds may limit a financial institution's ability to deliver meaningful disclosures to customers. However, use of a wireless delivery system does not absolve a financial institution from disclosure requirements. Moreover, limitations on the ability of wireless devices to store documents may affect the institutions consumer compliance disclosure obligations.18 Additionally ,any institution that opts to rely upon voice recognition technology as a means to overcome the difficulty of entering data through small wireless devices should be aware of the uncertain status of voice recognition under the E-SIGN Act.19 Wireless banking may expose institutions to liability under the Electronic Fund Transfer Act (Regulation E)for unauthorized activities if devices are lost or stolen. The risk exposure is a function of the products, services, and capabilities the institution provides through

wireless devices to its customers. For example, the loss of a wireless device with a stored access code for conducting electronic fund transfers would be similar to losing an ATM or debit card with a personal identification number written on it. However, the risk to the institution may be greater depending on the types of wireless banking services offered (e.g., bill pay, person-toperson payments) and on the authentication process used to access wireless banking services. M-Banking . A mobile phone, equipped with a Smart SIM card can also act as a bank. Smart SIM card is an upgrade of the regular SIM card , the basic form of identification belonging to each mobile telecommunications user. The new card Adds a new option, named MOBITEL to the existing menu, which is enabling even friendlier

access to numerous Mobitel GSM services. The M-Banking menu includes all the basic banking services : insight into the balance on the user's bank account either personal or one, for which the user is authorized; insight into transactions made to and from the bank account; insight into transactions, performed via mobile phone; payments of bills and money orders; intrabank transactions; limit alarms at violations of the account's limits; requesting an increased bank account limit; depositing resources for a longer period.. Introduction: The next step in automation that IT has provided is user accessibility to his most common tasks from his mobile phone. Theoretically, today everything that a desktop pc can perform can be accomplished with a combination of mobile phones and handheld devices. But issues like device incompatibility, affordability, security, etc mar this theory. Another issue that comes up is that making an existing application to be mobile enabled is a money and resource intensive operation. A company that has already spent a lot of money and resources getting its operations automated/net enabled/computerized is hesitant to invest again. Advantages To provide a solution that allows the users of the client to receive from an efficient way, useful information through a movable-cellular device. Scalability of new services that the client wants

to offer his users. By means of this proposal, the client not only acquires a mail solution, but also a prepared infrastructure to harness a marketing "one to one" with his users. To implement better and more fluid communication between the client and his users, which will be able to accede to information of fast form, simple and safe .To provide a new scheme of access to the information through end technology, that willserve to give one more a more modern image of the Client and to offer a better service toitsusers.SMS System will allow to send information to the most varied client, contributing an added value. Here are some cases of shipment and more typical reception of information:

Business implementation : implemented in retail and corporate banking as well as insurance

Retail banking services : Savings account balance enquiry, savings acct - last 5txns. Cheque book request , utility payment , inter acct transfer

Corporate banking services : Current account balance enquiry, current acct last 5txns. Cheque book request , inter acct transfer Credit cards - Due payment enquiry, due date, minimum payment due, an last date for the payment

Banking - Notification - bank notification to customers for payment of creditcards, bank notification to customers for new products Loans/Mortgages Reception of automatic messages (n) previous days details of the loan or mortgages. Credit card Reception of automatic messages (n) previous days to the victory of the quota. Details about balance available in the credit card. History Details of last the 5 transactions

Banks have to be creative in rethinking organizational structures and management processes. Traditional banks that are conservative in nature may find it difficult to attract and retain online talent. Moreover, getting people in the traditional business to help build an e-enterprise would not be an easy task. To make all this happen, requires a major revision of incentive systems, planning and budgeting processes, and management roles. Banks can exploit the opportunities provided by the Internet if they demonstrate courage ,use their imagination, and take decisive action. While most of the banks have started focusing on e-banking activities, a new challenge in the form of mobile banking has emerged. M-Banking is both an additional opportunity for banks to offer their online services and an additional channel from which to access new customers and cross-sell to existing customers. Rapidly changing lifestyles of customers and their demand for more speed and convenience has subdued the role of branch banking to a certain extent. With the proliferation of new technologies, disintermediation of traditional channels is being witnessed. Banks can go beyond their traditional role as a channel for banking/financial services and can become providers of personalized information. They can successfully leverage m-banking to:

Provide personalized products and services to specific customers and thus increase customer loyalty. Exploit additional sources of revenue from subscriptions, transactions and third- party referralsBanking gives bank the opportunity to significantly expand their customer relationships provided they position themselves effectively. To leverage these opportunities, they must form structured alliances with service affiliates, and acquire competitive advantage in collecting, processing and deploying customer information. Online Banking It has always relied on Technology to increase the convenience for customers. Internet Banking offers customers unparalleled flexibility, time saving and a lower cost of

operations. BOP has named this channel as "Online ebanking"

. When customer registers himself for the online banking facility, he is provided with a username and the password to logon to the same. After logging in to the ebanking customer can avail the following services :

Description Funds Transfer The funds transfer facility allows you, to transfer funds from one account to another within the same customer ID (i.e within the same branch). New FD/RD Request Submit your request online for a Fixed Deposit or a Recurring Deposit, which will be stored with the bank. Your branch will process the request within 24 hours and you can know the status of your request by contacting your branch. Bill payment Available to all customers who are registered for Online Banking. Through epay customers can receive, review and pay their bills online. epay is based on EBPP which is Electronic Bill Presentment and

Payment.DemandDraft/Pay Order Submit your request online for a Demand Draft, which will be stored with the bank. Your branch will process the request within 24 hours and you can know the status of your request by contacting your branch. Pay Order Request Submit your request online for a Pay Order, which will be stored with the bank. Your branch will process the request within 24 hours and you can know the status of your request by contacting your branch. Flexi FD Details View the details of your flexi FD online.TDS Inquiry View your Tax Deducted at Source details for your deposits A/cs. Link to Flexi Submit your request online for linking your FD with a Flexi FD, which will be stored with the bank. Your branch will process the request within24 hours and you can know the status of your request by contacting your branch Pending Request View the requests which you have made and are still pending to be processed, you can also cancel a request made earlier. Cheque Book Request Submit your request online for a Cheque Book, which will be stored in the bank's database. Your branch will process the request within 24 hours and you can collect your Cheque Book from your branch, through Courier or at your registered address with the Bank. Account Summary View the summary of balance in your account, click on A/c Details to view details of your highlighted account. Account Details View the detailed description of your account, based on three criteria month range, date range, and all

the transactions. One can also take print of that. Standing Instructions Submit your request electronically for Standing Instructions Financial Portals A transformation is taking place within the finance sector. At the customer service level, the financial industry is converging. At the operational level, banks are concentrating on their own core competency, aggregating and personalizing both their own services and the services of their external providers. At present, each individual banks competitive advantage is built not only on superior internal performance, but also on superior external networking and partnerships. As this transformation continues, many banks and other similar organisations around the world are facing this very same problem: there is no unified view of the whole financial environment. A personalized financial portal can give a bank the opportunity to provide customized windows to its suppliers, staff, customers and partners uniformly, thus allowing them all to see the total picture of their current financial situation simultaneously. Portals are particularly important now, at a time when many organisations are reevaluating their business strategies, as they can deliver information anytime, anywhere and on any device, accurately, effectively and profitably. Explicitly, the right financial portal will be a banks most valuable tool in meeting these Without question, within this constantly changing and transforming market environment, technology will enable a bank to best implement its business focus. Simply stated, technology will offer a bank both a cost effective and flexible way to carry out its proposed changes. With this in mind, the ability to combine a deep understanding of a customers business with solid expertise in information technology, creating scores of competitive high-value-added, service-and-solution products. Finance Portal is an excellent example of core competence solution, where in-depth financial business understanding has been joined to modern component technology

(Financial Portal) The versatility of the Finance Portal allows the customer to personalize the content of each feature. And if a customers interests change, the Finance Portal can promptly and seamlessly, both update and harmonies each feature to match. What's more, by using the Finance Portal, a bank can offer personalised online-services to both their corporate and retail customers. Even if

it comes from multiple sources, the Finance Portal solution can aggregate your customers financial information and transactions into a personalised

Portal. Conveniently, the portal can be accessed with various terminal devices whenever the end-user wants by using a secured connection. Multi-Bank Support: The Finance Portal integration layer can amalgamate several core financial applications so as to provide the user with information and services from various banking and insurance back-end applications. Content Management System Integration: The Finance Portal can have access to the banks

content management system, which allows the user to monitor the recurring subject matter that these organisations normally generate. Content is retrieved from the content management system based on set personalisation and customization parameters, and the users profile. The content management system can contain formatted content for all supported device types and languages. Service and Information Providers: Third party ecommerce services, such as electronic invoices (eInvoice) and electronic salary statements (salary), can be integrated into the Finance Portal. Additional information about rates and news from other sources, for example Reuters, can also be included as well as targeted offers for customers. The Finance Portal supports the development of completely new business services where the business logic may be placed in the portal layer and the core financial applications of the bank are needed only for retrieving information about customers financial matters. Accounts Accounts summary Account details and transactions Single transaction information Default account settings Personal account sets for corporate users Real-time balances of group and single accounts Group account structures Currency exchange services

Payments Payments summary Internal transfers Domestic payments Foreign payments Intra-group payments File transfers Due payments and transfers Unconfirmed payments Payment confirmation Rejected payments and transfers Payment history Beneficiary register management Cards Cards summary Card details and transactions New PIN codes Security limits Agreement and Authorisation Management eService agreements Agreement history Agreement users and authorisation Authentication services services. Various authentication mechanisms can be easily plugged into the portal. For example, supported authentication mechanisms can be one-time passwords and PKI solutions. Authorisation services that contain the users permissions to access business and chargeable services. System configuration and management services including the configuration data service and administration services. Easy-to-use tools for software developers. In addition

to financial and technical provisions, the portal presents a number of value added services: Various portal services various services, such as menu, shortcuts and content management system based help functionality. Two-way CRM integration and user profile handling. -The Finance Portal users profile is a collection of user related data, which can be used within the portal per Portal user profile. Communication services services, such as secure mail and push services (alerts). Campaign management to control the display of advertisements in the portal. Content management system integration allowing different types of content be shown in the portal either on a general basis or based on set rules that are evaluated against the users profile. Third party search engine integration provides users with conten tmanagement system search functionality. Web application integration providing a single-signal for both internal and external web applications. Personalisation and customization Based on the Finance Portals user profile attributes and values, the fundamental part of the Finance Portal solution is its range of personalisation and customization capabilities. Based on the user's characteristics, personalization refers to the bank personalizing such essential details as the interface layout and content. More specifically, the rules of this personalisation cover both portal functionality and data handling. These rules include: Available services and their details User interface flow User interface layout Portal menus Help menus Campaigns and targeted offers Other content Customization refers to the users themselves customizing each of the above-mentioned rules based on the options given to them by the bank E-Banking: Key Issues and Solutions

Risk management in banks In spite of several benefits of the Internet in the banking industry, it may prove to be a double edged sword. For instance, banks may gain revenue advantages on the retail side by charging for services such as EBPP and may improve cross selling of products. But on the other hand, the effect of the Internet on the commercial side of the bank is negative .Cash managers are worried about potential revenue decreases as the processing of paper bills declines and third parties attract customers to competing services. There are fears that the Internet is the first step on a

downward spiral in commercial banking that begins with losses in cash management and lockbox services and ends with banks being excluded from the payments loop. As EBPP becomes more popular, checks and check- processing fees, a major source of bank revenues will decline. Banks will be left to handle settlements, which have low margins and will be less equipped to offer newer and potentially more profitable services. Moreover, the Internet poses a range of risks and threats. Some of them are: Security risk that may arise due to the unauthorized access to a bank's key information like accounting system, risk management system and portfolio management system. A breach of security could result in direct financial loss to the bank. In addition to external attacks, banks are exposed to security risk from internal sources e.g. employee fraud .Employees can acquire the authentication data in order to access the customer accounts causing losses to the bank. Operational risks that may arise due to inaccurate processing of transactions, non-enforceability of contracts, compromises in data integrity, data privacy and confidentiality, unauthorized access/intrusion to bank's systems and transactions, etc. These risks may arise due to weaknesses in design, implementation and monitoring of banks' information system, inadequate technology, negligence by customers and employees, fraudulent activity by employees and hackers. Banks face the risk of wrong choice of technology, improper system design and inadequate control processes. Technology, which is outdated, not scalable or not proven, may lead to loss of bank's investment and risk its business. Many banks rely on outside service providers to implement, operate and maintain their e-banking systems since they do not have the requisite expertise. However, it adds to the operational risk. Legal risk Arises when violation of laws, rules and regulations or prescribed practices takes place, or when the legal rights and obligations of parties to a transaction are not well established. These risks may also arise due to uncertainty about the validity of some agreements formed via electronic media and law, regarding customer disclosures and privacy protection .E-Banking extends the geographic reach of banks and customers beyond national borders which may lead to crossborder risks. This risk involves legal and regulatory risks; as there may be uncertainty about legal requirements in some countries and jurisdiction ambiguities with respect to the responsibilities of

different national authorities. Such considerations may expose banks to legal risks associated with non-compliance of different national laws and regulations. Cross-border transaction also involves credit risk, since it is difficult to appraise an application for a loan from a customer in another country. Banks accepting foreign currencies in payment for electronic money may be subjected to market risk because of movements in foreign exchange rates. The risk of unauthorized data Alteration is real in an e-banking environment; both when data is being transmitted and stored. Proper access control and technological tools to ensure data integrity is of utmost importance to banks. Banks' system must be technologically equipped to handle these risks. Reputational risk is the risk of getting significant negative public opinion, which may result in loss of funding or customers. The main reasons for this risk may be system or product not working to the expectations of the customers, system deficiencies, and security Breach, inadequate information to customers about product use and problem resolution procedures, problems with communication networks that impair customers' access to their funds, or account information. This may cause the customer to discontinue the use of product/service. As e-banking transactions are conducted remotely, banks may find it difficult to apply traditional method for detecting and preventing undesirable criminal activities, which may lead to money laundering risk. Application of money laundering rules may also be inappropriate for some forms of electronic payments. This may result in legal problems for non-complying to `knowing your customer' laws. Several bank's IT infrastructure and applications are being exposed to system outages and cyber-attacks. In 2000, Barclays, one of Britain's biggest online banks was forced to shut down its website as customers were able to access each other's accounts. In Norway, a hacker led to a major software problem on the website of a leading national bank. These cyber-crimes demand global solutions. Though some progress has been made in this direction, a lot remains to be done. For example, Bank for International Settlements has constituted a committee involving representatives of national regulators and supervisors, which closely examine the security and reliability of electronic money. It has called for the development of prudent risk management for e-money activities and stronger cooperation with banks to identify good practices and standards. The International Association of Insurance Supervisors (IAIS), the International Organization of Security Commissions (IOSCO) and the European Commission have started similar initiatives.

Banks, international organizations, governments and financial institutions have to work together to manage all the risks mentioned above. It is critical that partnerships must continue to enhance consumer trust towards e-banking. Banks conducting business online have to consider security and reliability as their first business priority for customer retention

RISK MANAGEMENT OF E-BANKING Activities As noted in the prior section, e-banking has unique characteristics that may increase an institutions overall risk profile and the level of risks associated with traditional financial services, particularly strategic, operational, legal, and reputation risks. These uniqueebanking characteristics include .. Speed of technological change, .. Changing customer expectations, .. Increased visibility of publicly accessible networks (e.g., the Internet), .. Less face-to-face interaction with financial institution customers, .. Need to integrate e-banking with the institutions legacy computer systems, .. Dependence on third parties for necessary technical expertise, and .. Proliferation of threats and vulnerabilities in publicly accessible networks. Management should review each of the processes discussed in this section to adapt and expand the institutions risk management practices as necessary to address the risks posed by e-banking activities. While these processes mirror those discussed in other booklets of the IT Handbook, they are discussed below from an e-banking perspective. For more detailed information on each of these processes. Board and Management Over site The board of directors and senior management are responsible for developing the institutions ebanking business strategy, which should include .. The rationale and strategy for offering e-banking services includinginformational, transactional, or e-commerce support; .. A cost-benefit analysis, risk assessment, and due diligence process for evaluating e-banking processing alternatives including third- party providers; .. Goals and expectations that management can use to measure the e-bankingstrategys effectiveness; and

.. Accountability for the development and maintenance of risk management policies and controls to manage e-banking risks and for the audit of e-banking activities. E-Banking Strategy Financial institution management should choose the level of e-banking services provided to various customer segments based on customer needs and the institutions risk assessment considerations. Institutions should reach this decision through a board approved, e-banking strategy that considers factors such as customer demand ,competition, expertise, implementation expense, maintenance costs, and capital support. Some institutions may choose not to provide ebanking services or to limit e-banking services to an informational website. Financial institutions should periodically reevaluate this decision to ensure it remains appropriate for the institutions overall business strategy. Institutions may define success in many ways including growth in market share, expanding customer relationships, expense reduction, or a transactional

new revenue generation.

If the

financial

institution

determines that

website is appropriate, the next decision is the range of products and services to make available electronically to itscustomers.7 To deliver those products and services,

the financial institution may have more than one website or multiple pages within a website for various business line. Cost Benefit analysis and Assessment Financial institutions should base any decision to implement e-banking products and services on a thorough analysis of the costs and benefits associated with such action. Some of the reasons institutions offer e-banking services include .. Lower operating costs, .. Greater geographic diversification, .. Improved or sustained competitive position, .. Increased customer demand for services, and .. New revenue opportunities the individuals conducting the cost-benefit analysis should clearly understand the risks associated with e-banking so that cost considerations fully incorporate appropriate risk mitigation controls. Without such expertise, the cost-benefit analyses will most likely underestimate the time and resources needed to properly oversee e-banking activities, particularly the level of technical expertise needed to provide competent oversight

of in house or outsourced activities. In addition to the obvious costs for personnel, hardware, software, and communications, the analysis should also consider .. Changes to the institutions policies, procedures, and practices; .. The impact on processing controls for legacy systems; .. The appropriate networking architecture, security expertise, and software tools to maintain system availability and to protect and respond to unauthorized access attempts; .. The skilled staff necessary to support and market e-banking services during expanded hours and over a wider geographic area, including possible expanded market and cross-border activity; .. The additional expertise and MIS needed to oversee e-banking vendors or technology service providers; .. The higher level of legal, compliance, and audit expertise needed to support technologydependent services; .. Expanded MIS to monitor e-banking security, usage, and profitability and tomeasure the success of the institutions e-banking strategy; .. Cost of insurance coverage for e-banking activities; .. Potential revenues under different pricing scenarios; .. Potential losses due to fraud; and .. Opportunity costs associated with allocating capital to e-banking efforts .. Scope and coverage, including the entire e-banking process as applicable (i.e., network configuration and security, interfaces to legacy systems, regulatory compliance, internal controls, and support activities performed by third-party providers); .. Personnel with sufficient technical expertise to evaluate security threats andcontrols in an open network (i.e., the Internet); and .. Independent individuals or companies conducting the audits without conflicting e-banking or network security roles. Managing Outsourcing Relationships The board and senior management must provide effective oversight of third-party vendors providing e-banking services and support. Effective oversight requires that institutions ensure the following practices are in place: .. Effective due diligence in the selection of new service providers that considers financial condition, experience, expertise, technological compatibility, and customer satisfaction;

.. Written contracts with specific provisions protecting the privacy and security of an institutions data, the institutions ownership of the data, the right to audit security and controls, and the ability to monitor the quality of service, limit the institutions potential liability for acts of the service provider, and terminate the contract; .. Appropriate processes to monitor vendors ongoing performance, service quality

security controls, financial condition, and contract compliance; and .. Monitoring reports and expectations including incidence response andnotification. Due diligence of Outsourcing

A key consideration in preparing an e-banking cost-benefit analysis is whether the financial institution supports e-banking services in-house or outsources support to one or more third parties (i.e., a technology service provider or TSP). Transactional e-banking is typically a frontend system that relies on a programming link called an interface to transfer information and transactions between the e-banking system and the institution score processing applications (e.g., loans, deposits, asset management). Such interfaces can be between in-house systems, outsourced systems, or a combination of both. This flexibility allows institutions to select those products and services that best meet their ebanking needs, but it can also complicate the vendor oversight process when multiple vendors are involved. Choosing to use the services of one or more TSPs can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve service quality. However, this choice does not absolve financial institutions from understanding and managing the risks associated with TSP services. In fact, service providers may introduce additional risks and interdependencies that financial institutions must understand and manage. . Regardless of whether an institutions e banking services are outsourced or processed in-house, the institution should periodically review whether this arrangement continues to meet current and anticipated future needs. Contracts for third party Services As with all outsourced financial services, institutions must have a formal contract with the TSP that clearly addresses the duties and responsibilities of the parties involved. In the past, some institutions have had informal security expectations for software vendors or Internet access providers that had never been committed to writing. This lack of clear responsibilities and consensus has lead to breakdowns in internal controls and allowed security incidents to occur..

Institutions should tailor these recommendations to e-banking services as necessary. Specific examples of e-banking contract issues include .. Restrictions on use of nonpublic customer information collected or stored by the TSP; .. Requirements for appropriate controls to protect the security of customer information held by the TSP; .. Service-level standards such as website up-time, hyperlink performance, customer service response times, etc.; .. Incident response plans, including notification responsibilities, to respond to website outage, defacement, unauthorized access, or malicious code; .. Business continuity plans for e-banking services including alternate processing lines, backup servers, emergency operating procedures, etc.; .. Performance of, and access to, vulnerability assessments, penetration tests, and financial and operations audits; .. Limitations on subcontracting of services, either domestically or internationally; .. Choice of law and jurisdiction for dispute resolution and access to information by the financial institution and its regulators; and

.. For foreign-based vendors or service providers (i.e., country of residence is different from that of the institution), in addition to the above items, contract options triggered by increased risks due to adverse economic or political developments in the vendors or service providers home country. Oversight and monitoring of third party Financial institutions that outsource e-banking technical support must provide sufficient oversight of service providers activities to identify and control the resulting risks. The key to good oversight typically lies in effective MIS. However, for MIS to be effective the financial institution must first establish clear performance expectations. Wherever possible, these expectations should be clearly documented in the service contract or an addendum to the contract. Effective and timely MIS can alert the serviced institution to developing service, financial or security problems at the vendor problems that might require execution of contingency plans supporting a change in vendor or in the existing service relationship.

.. Protect against any anticipated threats or hazards to the security or integrity of such information; and .. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The guidelines outline specific measures institutions should consider in implementing a security program. These measures include .. Identifying and assessing the risks that may threaten consumer information; .. Developing a written plan containing policies and procedures to manage and control these risks; .. Implementing and testing the plan; and .. Adjusting the plan on a continuing basis to account for changes in technology, the sensitivity of customer information, and internal or external threats to information security. The guidelines also outline the responsibilities of management to oversee the protection of customer information including the security of customer information maintained or processed by service providers. Oversight of third-party service providers and vendors I discussed in this booklet under the headings Board and Management Oversight andManaging Outsourcing Relationships. Additional information on the guidelines can be found in the IT Handbooks Management Booklet. The IT Handbooks Information Security Booklet presents additional information on the risk assessment process and information processing controls .In order to perform a risk assessment, a financial institution gathers information about the internal and external environment, analyzes that information, and provides a hierarchical list of risks to be mitigated. This assessment guides the testing program ,indicating which controls should be subject to more frequent or rigorous testing. The guidelines required by the GLBA apply to customer information stored in electronic form as well as paper-based records. Examination procedures specifically addressing compliance with the GLBA guidelines can be accessed through the agency websites listed in the reference section of this booklet. Although the guidelines supporting GLBA define customer as a consumer who has a customer relationship with the institution, management should consider expanding the written information security program to cover the institutions own confidential records as well as confidential information about its commercial customers. Information Security Controls

Security threats can affect a financial institution through numerous vulnerabilities. No single control or security device can adequately protect a system connected to a public network. Effective information security comes only from establishing layers of various control, monitoring, and testing methods. While the details of any control and the effectiveness of risk mitigation depend on many factors, in general, each financial institution with external connectivity should ensure the following controls exist internally or at their TSP. .. Ongoing knowledge of attack sources, scenarios, and techniques. Financial institutions should maintain an ongoing awareness of attack threats through membership in information-sharing entities such as the Financial Services -Information Sharing and Analysis Center (FS-ISAC), Infragard, the CERT Coordination Center, private mailing lists, and other security information sources. All defensive measures are based on knowledge of the attackers capabilities and goals, as well as the probability of attack. .. Up-to-date equipment inventories and network maps. Financial institutions should have inventories of machines and software sufficient to support timely security updating and audits of authorized equipment and software. In addition, institutions should understand and document the connectivity between various network components including remote users, internal databases, and gate way servers to third parties. Inventories of hardware and the software on each system can accelerate the institutions response to newly discovered vulnerabilities and support the proactive identification of unauthorized devices or software.

.. Rapid response capability to react to newly discovered vulnerabilities. Financial institutions should have a reliable process to become aware of new vulnerabilities and to react as necessary to mitigate the risks posed by newly discovered vulnerabilities. Software is seldom flawless. Some of those flaws may represent security vulnerabilities, and the financial institution may need to correct the software code using temporary fixes, sometimes called a patch. In some cases, management may mitigate the risk by reconfiguring other computing devices. Frequently, the financial institution must respond rapidly, because a widely known vulnerability is subject to an increasing number of attacks. .. Network access controls over external connections. Financial institutions should carefully control external access through all channels including remote dial-up, virtual private network connections, gateway servers, or wireless access points. Typically, firewalls are used to enforce

an institutions policy over traffic entering the institutions network. Firewalls are also used to create a logical buffer, called a demilitarized zone, or DMZ, where servers are placed that receive external traffic. The DMZ is situated between the outside and the internal network and prevents direct access between the two. Financial institutions should use firewalls to enforce policies regarding acceptable traffic and to screen the internal network from directly receiving external traffic. .. System hardening. Financial institutions should harden their systems prior to placing them in a production environment. Computer equipment and software are frequently shipped from the manufacturer with default configurations and passwords that are not sufficiently secure for a financial institution environment. System hardening is the process of removing or disabling unnecessary or insecure services and files. A number of organizations have current efforts under way to develop security benchmarks for various vendor systems. Financial institutions should ensure these computers meet security and configuration requirements regardless of the controls governing remote access security administration. Adverse test results indicate a control is not functioning and cannot be relied upon. Follow-up can include correction of the specific control, as well as a search for, and correction of, a root cause. Types of tests include audits, security assessments, vulnerability scans, and penetration tests. Authentication E-banking Customers E-banking introduces the customer as a direct user of the institutions technology. Customers have to log on and use the institutions systems. Accordingly, the financial institution must control their access and educate them in their security responsibilities. While authentication controls play a significant role in the internal security of an organization, this section of the booklet discusses authentication only as it relates to thee-banking customer. Authenticating New Customers Verifying a customers identity, especially that of a new customer, is an integral part of all financial services. Consistent with the USA PATRIOT Act, federal regulations require that by October 1, 2003, each financial institution must develop and implement a customer identification program (CIP) that is appropriate given the institutions size, location and type of business.13 The CIP must be written, incorporated into the institutions Bank Secrecy Act/AntiMoney Laundering program, and approved by the institutions board of directors. The CIP must include risk-based procedures to verify the identity of customers (generally persons opening new

accounts). Procedures in the program should describe how the bank will verify the identity of the customer using documents, non documentary methods, or a combination of both. The procedures should reflect the institutions account opening processes whether face-to-face or remotely as part of the institutions e-banking services. As part of its no documentary verification methods, financial institutions may rely on third parties to verify the identity of an applicant or assist in the verification. The financial institution is responsible for ensuring that the third party uses the appropriate level of verification procedures to confirm the customers identity. New account applications submitted on-line increase the difficulty of verifying the application information. Many institutions choose to require the customer to come into an office or branch to complete the account opening process. Institutions conducting the entire account opening process through the mail or on-line should consider using third-party databases to provide .. Positive verification to ensure that material information provided by an applicant matches information available from third-party sources, .. Logical verification to ensure that information provided is logically consistent, and .. Negative verification to ensure that information provided has not previously been associated with fraudulent activity (e.g., an address previously associated with a fraudulent application). Authenticating Existing Customers In addition to the initial verification of customer identities, the financial institution must also authenticate its customers identities each time they attempt to access their confidential on-line information. The authentication method a financial institution 12FFIEC Guidance:

Authentication in an Electronic Banking Environment (July 30, 2001).chooses to use in a specific e-banking application should be appropriate and commercially reasonable in light of the risks in that application. Whether a method is a commercially reasonable system depends on an evaluation of the circumstances .Financial institutions should weigh the cost of the authentication method, including technology and procedures, against the level of protection it affords and the value or sensitivity of the transaction or data to both the institution and the customer. What constitutes a commercially reasonable system may change over time as technology and standards evolve.

Authentication methods involve confirming one or more of three factors:

.. Something only the user should know, such as a password or PIN; .. Something the user possesses, such as an ATM card, smart card, or token; or

.. Something the user is, such as a biometric characteristic like a fingerprint or iris pattern. Authentication methods that depend on more than one factor are typically more difficult to compromise than single-factor systems therefore suggesting a higher reliability of authentication. For example, the use of a customer ID and password is considered single factor authentication since both items are something the user knows. A common example of two-factor authentication is found in most ATM transactions where the customer is required to provide something the user possesses (i.e., the card) and something the user knows (i.e., the PIN). Single factor authentication alone may not be adequate for sensitive communications, high dollar value transactions, or privileged user access (i.e., network administrators). Multi-factor techniques may be necessary in those cases. Institutions should recognize that a single factor system may be tiered (e.g., multiple passwords) to enhance security without the implementation of a true twofactor system. Password Administration Despite the concerns regarding single-factor authentication, many e-banking services still rely on a customer ID and password to authenticate an existing customer. Some security professionals criticize passwords for a number of reasons including the need for passwords whose strength places the password beyond the users ability to comply with other password policies such as not writing the password down. Password-cracking software and log-on scripts can frequently guess passwords regardless of the use of encryption. Popular acceptance of this form of authentication rests on its ease of use an dits adaptability within existing infrastructures. A tiered single factor authentication system would include the use of multiple levels of a single factor (e.g., the use of two or more passwords or PINs employed at different points in the authentication process). Tie ring may not be as strong as two-factor authentication because the means used to steal the first password may be equally effective against the second password. Financial institutions that allow customers to use passwords with short character length, readily identifiable words or dates, or widely used customer information (e.g., Social Security numbers) may be exposed to excessive risks in light of the security threats from hackers and fraudulent

insider abuse. Stronger security in password structure and implementation can help mitigate these risks. Another way to mitigate the risk of scripted attacks is to make the user ID more random and not based on any easily determined format or commonly available information. There are three aspects of passwords that contribute to the security they provide: password secrecy, password length and composition, and administrative controls accessed. Financial institutions that assess the risk and decide to rely on passwords, should implement strong password administration standards. Administrative Controls E-banking presents new administrative control requirements and potentially increases the importance of existing controls. Management must evaluate its administrative controls to maximize the availability and integrity of e-banking systems. E-banking information can support identity theft for either fraud at the subject institution or for creating fraudulent accounts at other institutions. Institutions should consider the adequacy of the following controls:

.. Segregation of e-banking duties to minimize the opportunity for employee fraud; .. Dual-control procedures especially for sensitive functions like encryption key retrieval or large on-line transfers; .. Reconcilement of e-banking transactions; .. Suspicious activity reviews and fraud detection with targeted review of unusually large transaction amounts or volumes; .. Periodic monitoring to detect websites with similar names, possibly established for fraudulent purposes; .. Error checks and customer guidance to prevent unintentional errors; .. Alternate channel confirmations to ensure account activity or maintenance changes are properly authorized; and .. Business disruption avoidance strategies and recovery plans .E-banking activities are subject to the same risks as other banking processes. However, the processes used to monitor and control these risks may vary because of e-bankings heavy reliance on automated systems and the customers direct access to the institutions computer network. Some of the controls that help assure the integrity and availability of e-banking systems are discussed below.

Internal Controls Segregation of duties. E-banking support relies on staff in the service providers operations or staff in the institutions bookkeeping, customer service, network administration, or information security areas. However, no one employee should be able to process a transaction from start to finish. Institution management must identify and mitigate areas where conflicting duties create the opportunity for insiders to commit fraud. For example, network administrators responsible for configuring servers and firewalls should not be the only ones responsible for checking compliance with security policies related to network access. Customer service employees with access to confidential customer accounting formation should not be responsible for daily reconcilements of e-banking transactions. Dual controls .Some sensitive transactions necessitate making more than one employee approve the transaction before authorizing the transaction. Large electronic funds transfers or access to encryption keys is examples of two e-banking activities that would typically warrant dual controls. Reconcilements. E-banking systems should provide sufficient accounting reports to allow employee storeconcile individual transactions to daily transaction totals. Suspicious activity. Financial institutions should establish fraud detection controls that could prompt additional review and reporting of suspicious activity. Some potential concerns to consider include false or erroneous application information, large check deposits on new e-banking accounts, unusual volume or size of funds transfers, multiple new accounts with similar account information or originating from the same Internet address, and unusual account activity initiated from a foreign Internet address. Securityand fraud related events may require the filing of a SAR with the Financial Crimes Similar website names .Financial institutions should exercise care in selecting their website name(s) in order to reduce possible confusion with those of other Internet sites. Institutions should periodically scan the Internet to identify sites with similar names and investigate any that appear to be posing as the institution. Suspicious sites should be reported to appropriate criminal and regulatory authorities. Error checks.

E-banking activities provide limited opportunities for customers to ask questions or clarify their intentions regarding a specific transaction. Institutions can reduce customer confusion and the potential for unintended transactions by requiring written contracts explaining rights and responsibilities, by providing clear disclosures and on-line instructions or help functions, and by incorporating proactive confirmations into the transaction initiation process. On-line instructions, help features, and proactive confirmations are typically part of the basic design of an e-banking system and should be evaluated as part of the initial due diligence process. On-line forms can include error checks to identify common mistakes in various fields. Proactive confirmations can require customers to confirm their actions would enter the amount and date of payment and specify the intended recipient. But, before accepting the customers instructions for processing, the system might require the customer to review the instructions entered and then confirm the instructions accuracy by clicking on a specific box or link.

Alternate channel confirmations Financial institutions should consider the need to have customers confirm sensitive transactions like enrollment in a new on-line service, large funds transfers, account maintenance changes, or suspicious account activity. Positive confirmations for sensitive on-line transactions provide the customer with the opportunity to help catch fraudulent activity. Financial institutions can encourage customer participation in fraud detection and increase customer confidence by sending confirmations of certain high-risk activities through additional communication channels such as the telephone, e-mail, or traditional mail services as mission critical warranting a high priority in its business continuity plan. Management should periodically reassess this decision to ensure the supporting rational e continues to reflect actual growth and expansion in e-banking services. Legal and Compliance Issues Because e-banking limits face-to-face interaction and the paper based exchange of information with customers, e-banking introduces new compliance or legal risks. Institutions should .. Clearly identify the official name of the financial institution providing the e- banking services; .. Properly disclose their customer privacy and security policies on their websites; and

.. Ensure that advertisements, notices, and disclosures are in compliance with applicable statutes and regulations, including the E-Sign Act. Financial institutions should comply with all legal requirements relating to e-banking, including the responsibility to provide their e-banking customers with appropriate disclosures and to protect customer data. Failure to comply with these responsibilities could result in significant compliance, legal, or reputation risk for the financial institution. Trade names on the Internet Financial institutions may choose to use a name different from their legal name for their ebanking operations. Since these trade names are not the institutions official corporate title, information on the website should clearly identify the institutions legal name and physical location. This is particularly important for websites that solicit deposits since persons may inadvertently exceed deposit insurance limits.

.. Disclose clearly and conspicuously, in signs, advertising, and similar materials that the facility is a division or operating unit of the insured institution; .. Use the legal name of the insured institution for legal documents, certificates of deposit, signature cards, loan agreements, account statements, checks, drafts, and other similar documents; and .. Train staff of the insured institution regarding the possibility of customer confusion with respect to deposit insurance. Disclosures must be clear, prominent, and easy to understand. Examples of how Internet disclosures may be made conspicuous include using large font or type that is easily viewable when a page is first opened; inserting a dialog page that appears whenever a customer accesses a webpage; or placing a simple graphic near the top of the page or in close proximity to the financial institutions logo. These examples are only some of the possibilities for conspicuous disclosures given the available technology. Front-line employees (e.g., call center staff) should be trained to ensure that customers understand these disclosures and mitigate confusion associated with multiple trade names. Website contents Financial institutions can take a number of steps to avoid customer confusion associated with their website content. Some examples of information a financial institution might provide to its customers on its website include

.. The name of the financial institution and the location of its main office(and branch offices if applicable); .. The identity of the primary financial institution supervisory authority responsible for the supervision of the financial institution's main office; .. Instructions on how customers can contact the financial institutions customer service center regarding service problems, complaints, suspected misuse of accounts, etc.;

.. Instructions on how to contact the applicable supervisor to file consumer complaints; and .. Instructions for obtaining information on deposit insurance coverage and the level of protection that the insurance affords, including links to the FDIC or NCUA websites at

http://www.fdic.gov or www.ncua.gov, respectively. Customer Pricing and Confidentiality Maintaining the privacy of a customers information is one of the cornerstones upon which trust in the U.S. banking system is based. Misuse or unauthorized disclosure of confidential customer data may expose a financial institution to customer litigation or action by regulatory agencies. To meet expectations regarding the privacy of customer information, financial institutions should ensure that their privacy policies and standards comply with applicable privacy laws and regulations, particularly the privacy requirements established by GLBA. The regulation implementing GLBAs requirements also describes standards on electronic disclosures that apply if an institution elects to display its privacy policy on its website. Transaction Monitoring and Customer Disclosers The general requirements and controls that apply to paper-based transactions also apply to electronic financial services. Consumer financial services regulations generally require that institutions send, provide, or deliver disclosures to consumers as opposed to merely making the disclosures available. Financial institutions are permitted to provide such disclosures electronically if they obtain consumers consent in a manner consistent with the requirements of the federal Electronic Signatures in Global and National Commerce Act (the E-Sign Act). The Federal Reserve Board has issued interim rules providing guidance on how the E-Sign Act applies to the consumer financial services and fair lending laws and regulations administered by the Board.

15 However mandatory compliance with the interim rules was not required at the time of this booklets Publication .16 Financial institutions may provide electronic disclosures under their existing policies or practices, or may follow the interim rules, until the Board issues permanent rules. When disclosures are required to be in writing, the E-Sign Act requires that financial institutions generally must obtain a consumers affirmative consent to provide disclosures electronically. Under the E-Sign Act, a consumer must among other things provide such consent electronically and in a manner that reasonably demonstrates that he or she can access the electronic record in the format used by the institution. In addition, the institution must advise customers of their right to withdraw their consent for electronic disclosures and explain any conditions, consequences, or fees triggered by withdrawing such consent.: Internet Finance Internet has touched almost all aspects of our lives. The emergences of e-commerce have revolutionized the way we live, shop, entertains and interact. Therefore, it should not come as a surprise if it tries to influence the way we save and the way we invest. Today, when the customer is king and the service providers are rushing to pay obeisance to the king, financial service providers cannot be left behind. In their quest to different their services and gain competitive advantage over their competitors, the financial service providers are trying to provide their services to the customers in the comfort of their homes. The Internet has emerged as a convenient channel for these service providers. Living in India, we might find these ideas too farfetched but the truth is that Internet has changed the way these services are delivered, particularly in countries where the Internet penetration is high. The different ways in which Internet is trying to revolutionize the delivery of the financial services and products are given below: -

Online Brokerage Online Broking is emerging as another field where traditional service providers are likely to face tough competition from the Dot Com In Taiwan and Korea, 30% of the stock trading has already moved online. This is posing a threat to the traditional Full-Service Brokerages. By leveraging

the power of the web, Charles Schwab has emerged as a major threat to Full-Service brokers like Merrill Lynch. In order to preempt the moves into these areas by new players, many Banks have already tied up with Online Brokerages. The Banks have entered the e-trading business. Since many banks are also Depositary participants, they have tied up with e-traders so that a customer is able to buy or sell shares online and make and receive payments through the Net

In India, HDFC Bank has tied up with Investsmart.com and is offering its services to all the clients of the brokerage. ICICI Bank has gone a step ahead and launchedICICIDirect.com. These banks have become exclusive providers of banking and depositary/custodial services to the clients of these online brokerages. Online Delivery of Financial Products The Banks have started offering banking services like checking your account status fund transfer, ordering demand drafts and writing out Cheques, via the net. Soon these will form only a small part of the total array of services being offered by them. These Banks have embarked on a number of new initiatives to protect their stronghold and to leverage the net. They are offering value-added services to their customers and at the same time are trying to get into B2C and B2B e-commerce. They are even trying to get their finger into various transactions between the Government on one side and the business and the customer on the other. Banks are trying to become a part of the online value chain. For example, they are trying to tie up with corporate so as to become a part of their supply chain and enable electronic transfer of funds between the different components of Supply Chain. They are doing this by acting as an intermediary between the corporations and

their vendors by enabling online transactions at one place. Some Banks are trying to setup portals for routing payments like Excise Duty and Sales Tax. Not content with that Banks are setting up secure payment gateways to tap the B2Conline market. Banks have taken the application process for personal loans, car loans, and mortgage, online. They plan to offer other financial products like Bonds and Mutual Funds through their financial service portal. This strategy is aimed by pre-empting the entry of new startups into this business. Another bit of the Net strategy, involves providing infrastructure for B2C as well as B2Be-commerce. Banks are setting up secure payment gateways that will allow online retail shops to obtain instant credit card

verifications. Once the buyer hits the pay button at aB2C portal, the buyer's credit card details will get encrypted and travel securely to the Visa or MasterCard approval system through the bank's payment gateway The banks are also setting up their own shopping portals. HDFC has a stake in a portal called easy2buy.com where HDFC bank customers can buy using their bank account tnumber. Federal Bank has similar arrangements with Rediff.com and Fabmart.com. ICICI has setup Magiccart.com, an e-tailing site At the B2B end, Banks are offering Net Banking service that allows electronic fund transfers among a company, its vendors and dealers. Another service being targeted at this segment is cash management. This will reduce the float, which is present in physical processing of the payments.The Banks are also trying to integrate their systems with the ERP/Supply Chain system of their clients. This will enable the bank to benefit from the movement towards e- procurement. E-Procurement involves making transactions online and processing the payment electronically

Research mythology

Do you have bank account? 1-YES 2- NO

50 40 30 20 10 0 yes no

In which bank u have account? i SBI ii ICICI iii HDFC

25 20 15 10 5 0 icici sbi hbfc

Interpretation: Every person has bank account in different banks.

Are you using atm ? 1-Yes 2- No

50 40 30 20 10 0 yes no

INTERPRETATION: 43 People are using the atm and 7 customer are not using atm out of
50.

Many are not satisfied with atm? 1-Satisfied 2- not satisfied

40 35 30 25 20 15 10 5 0 satisfied not satified

INTERPRETATION: satisfaction level is more among the customer comparatively not

satisfied.

Are you u aware about the e-banking? 1-Yes

35 30 25 20 15 10 5 0 yes no Series1

2- No

Interpretation: Here the lack of awareness among the customer regarding the e- banking.

Finding and suggestion

Finding Every person has a bank account. Most of the person using the e banking. 90% people using atm. Many are not satisfied with atm. Lack of knowledge.

Suggestion
They have to improve service. Make awareness among the people. Atm card is must with account.

Conclusion: E banking is saves time of the customer it is easy to use but it is to much far from
the rural people and they are not aware about the e banking system. And banks try to provide better service to customer in urban as well as rural. banks and try to make awareness among rural customer.