Reserve Bank of India
07:32
Showing posts with label 'Financial Frauds-Risks & preventions. Show all posts
Showing posts with label 'Financial Frauds-Risks & preventions. Show all posts
Saturday, 20 July 2019
Tuesday, 27 June 2017
troubled Loan
07:57
KEY ELEMENTS OF BEST PRACTICES -BANKING SCREENING TOOL(swiss)
KEY ELEMENTS OF BEST PRACTICES -BANKING SCREENING TOOL(swiss)
Key risk: Commitment is the foundation for sound corporate governance. If the company is not entirely committed, it means that its corporate governance is simply window-dressing. In this case the risk of poor governance is higher than it may first appear. A company that is not committed,or poorly understands its corporate governance duties is likely to disregard key areas of risk and accountability, including its responsibility to creditors, thus increasing the likelihood of loan default. Commitment to sound corporate governance is often best observed at the level of senior management and boards by seeing how the “tone from the top” disseminates through the company.
Source:IFC
Wednesday, 31 May 2017
Reserve Bank of India
09:34
Norms to protect customer in fraudulent transaction soon: RBI
Norms to protect customer in fraudulent transaction soon: RBI
MUMBAI: Reserve Bank will soon come out with final guidelines on customer protection which would limit customers liability in case of unauthorised electronic banking transactions, RBI deputy governor S S Mundra said on Tuesday.
Last year in August, RBI had issued draft circular on limiting liability of customers in case on fraudulent banking transactions, resulting in debits to their accounts or cards. RBI had asked comments and suggestions on the same.
"Based on the feedback received from the concerned stakeholders, final guidelines (on limiting liability of customers) are expected to be issued shortly," Mundra said at a event here.
HIGHLIGHTS
Reserve Bank will soon come out with final guidelines on customer protection
This will limit customers liability in case of unauthorised electronic banking transactions
RBI deputy governor S S Mundra said technology is being increasingly used in banking services
Mundra said technology is being increasingly used in delivery of banking services in recent years but it has brought in associated risk of security as is evident in few high profile cyber incidents, thefts of personal information, fraudulent use of ATMs, net banking frauds and cases of unauthorised access to banks servers.
"With greater thrust on digital banking, especially in the wake of demonetisation and consequent increase in complaints relating to the unauthorised or fraudulent transactions, a need for having a comprehensive policy to limit the liability of customers cannot be overemphasised," the deputy governor said.
Mundra said the final guidelines will clearly talk about the timeline for reporting fraudulent transactions, the liability customers will have to bear in case of unauthorised transactions and the responsibilities of banks in such instances.
He also asked banks to strengthen their IT security system ahead of the release of the final guidelines.
"In view of the impending guidelines, it would be prudent on the part of the banks to internally tighten their IT security system and customers service delivery through the IT-enabled platform and operating procedures so that grievances are minimised," Mundra said.
He asked banks to improve their call centre services and automated response system so as to provide less hassle to customers while using them.
"My experience is that you keep on navigating through the (IVR) menu and finally you need to talk to the customer service representative. It is good to use the technology, but we need to ensure that the technology is serving the intended purpose," he said.
Mundra said some of the banks have started using artificial intelligence and have done a pilot of putting a robotic assistance in the branch for guiding the customers.
"I would only urge that though it is a smart move, but ensure that it also does not end up in the same fashion as call centres or automated response system. It should be really be able to help the customers," he said.
Source:TOI
Monday, 24 October 2016
security
23:00
Cyber security: making banking safer
Cyber security: making banking safer
Protecting the banks’ crown jewels – money and personal data – may have become more difficult than ever, but financial institutions have fortified their defences with a little help from their fintech friends.
Cybercrime is the greatest existential threat banks face today. According to The Depository Trust & Clearing Corporation’s latest Systemic Risk Barometer Survey, cyber risk remained the number one concern globally among financial service professionals, with 70% of all respondents citing it as a top five risk.
This anxiety is well founded. Verizon’s 2015 Data Breach Investigations Report found that the financial services sector experienced 277 confirmed breaches in 2014, second in number only to the public sector.
An example of a cyber attack uncovered in early 2015, dubbed Carbanak, saw a criminal gang employ an advanced persistent threat-styled attack to successfully steal £650m ($980m) from more than 100 financial intuitions worldwide over a two-year period. One firm had $10m stolen via its online platform, according to reports.
While money is an obvious enticement, cybercriminals also look to steal valuable customer data held by banks. Simon Hales, chief information security risk officer at HSBC, says: “The current reality is that threats realised through digital channels can also target the information financial institutions hold. It depends on the motivations of those committing cyber attacks, which are increasingly global and diverse. Furthermore, the exposure also extends to the financial institution’s partners and external parties.”
The 2014 attack on JPMorgan Chase illustrates the potential magnitude of a cyber breach: hackers compromised 76 million personal accounts and more than 7 million small business accounts. Public confidence in the security of banks was shaken by this attack, considered to be one of the biggest breaches in history.
As Troels Oerting, group chief information security officer at Barclays and former head of the European Cybercrime Centre, points out: “The bank is all about trust and keeping their customers’ sensitive information safe.” A significant breach may prove costly in terms of stolen money or large regulatory fines, but it can also destroy the client relationship beyond repair.
Systemic importance
Cybercriminals also target financial institutions because of the critical role they play in a functioning economy. Governments and regulatory authorities have become acutely aware of the impact a major threat cybercrime might pose to the resilience of the financial system as a whole.
David Navetta, partner at law firm Norton Rose Fulbright (NRF), says: “Governments have a special interest in ensuring that the financial industry is secure because the global economy depends on the movement of money and open access to capital. This encourages much more cross-jurisdictional co-operation, as well as careful scrutiny of banks and financial institutions’ security practices.”
For example, on November 12, 2015, the US and UK conducted joint offline ‘war games’, dubbed Operation Resilient Shield, with global financial firms. The exercise focused on sharing information, incident response handling and public communication.
The European Parliament and European Council are in final negotiations over the Network and Information Security Directive (NISD) aimed at ensuring critical infrastructure in Europe is adequately protected against cyber attacks. Marcus Evans, a partner at NRF, says: “The real development [in the directive] is the formalised sharing of information between EU member states, as well as in due course with third-party countries such as the US.”
Governments and regulators are also paving the way for increased information sharing within national borders. For example, the US Senate passed the Cybersecurity Information Sharing Act of 2015 on October 27, 2015, encouraging sharing among private entities and between private entities and the federal government.
Bank-to-bank intelligence
While some banks remain reticent about sharing information among peers, Mr Oerting dismisses the idea that security is a competitive differentiator. “Catching crooks is something that we should all be united around,” he says, adding that if Barclays is hacked, then it is likely another bank will face the same attack. “We should share information so that the other bank can increase its security before being attacked,” he adds.
Orion Hindawi, co-founder and chief technology officer at cyber security start-up Tanium, agrees. “We know of hundreds of cases where customers were alerted by their peers which allowed them to fortify their defences,” he says.
“Criminals collaborate, learn from each other, leverage each other’s code and share system access. Yet on the flip side, we shy away and don’t want to talk about it,” adds Greg Day, vice-president and regional chief security officer, Europe, Middle East and Africa, at network and enterprise security company Palo Alto Networks.
In order to address this disjunction, 16 months ago Palo Alto Networks teamed up with Fortinet, Intel Security and Symantec to create the Cyber Threat Alliance. The security vendors participate in a technical collaboration forum to share information in real time. “With hundreds of thousands of customers, we have a huge crowdsourcing ability to see cyber attack trends,” says Mr Day. “We can leverage that data to provide better insight into what will hit our clients next.”
There are myriad industry alliances facilitating intelligence sharing and co-operation between governments, law enforcement and the financial services industry, including in the National Crime Agency’s National Cyber Crime Unit, the Cyber Defence Alliance, the Financial Services Information Sharing and Analysis Centre and the City of London’s Police National Fraud Intelligence Bureau, to name just a few. The next step must be to join up these separate initiatives, argues Don Randall, the Bank of England’s former head of security and chief information security officer.
Mr Randall also believes that suspicions and attempts should be included in the scope of shared information. “The main industry alliances are predominantly focused on actualities. But if a group of hackers unsuccessfully attempted to breach five major banks at the same time yesterday morning with the same methodology, we don’t have that data at the moment,” he says. “We have to get into the position of sharing this information because invariably the attempts will turn into real attacks.”
Raising the complexity bar
A number of developments have combined to boost the difficulty banks face in defending themselves and their customers against cybercrime. Overall, the modernisation and mobilisation of financial services is a fundamental shift that has seen the majority of financial transactions now conducted via cyber means, i.e. mobile phones, tablets, watches, cloud, etc.
Banks are constantly worried about whether their online customers are secure, using out-dated software or vulnerable to fraud. As oft bemoaned, the customer is the weakest link. Employees are also more mobile: working from home or a coffee shop, at a conference, satellite office or customer site, which all bypass perimeter or network-based security that a bank has already invested in.
Laurance Dine, managing principal for the Verizon Investigative Response Unit, highlights how end-user behaviour is changing due to the ‘Internet of Things’ (IoT). “The new generation wants to have access to everything, so trying to secure every single device is a difficult task,” he says. “Ongoing employee training and security awareness programmes are critical to maintain within every business.”
In addition, the financial industry has seen a lot of merger and acquisition (M&A) activity and global expansion. “Most banks face great difficulty in tying together different infrastructures, data bases and computer assets across multiple jurisdictions,” says Ben Johnson, chief security strategist at next-generation end-point security company Bit9 + Carbon Black. “Trying to defend their digital landscape in a cohesive, all-inclusive way is a huge challenge for them.”
Differentiating the motive and actors behind cyber attacks can help determine the proper level of response, resilience and budget. These range from organised crime syndicates, state-sponsored groups and militaries, hacktavists trying to make a point and insiders attempting to steal information for personal gain. “If the intention is to steal through organised crime or nation-state espionage, then the sophistication level will most likely be higher,” says Mr Randall. “But if the objective is to take down, disable or irritate, then simple old-fashioned methodologies can do the job.”
These categories are showing signs of blurring. “Some use hacktavism as a façade for a nation state attack. We also see co-operation between nation-states and organised crime,” says James Chappell, chief technology officer and co-founder at Digital Shadows, a UK-based cyber intelligence start-up. “Attributions are more difficult now because it is not easy to unpick who the culprits are. Luckily forensics is also developing at pace to help with that.”
Growing sophistication
Most experts report greater sophistication in cyber attacks. For example, cybercriminals are hitting banks with advanced distributed denial-of-service (DDoS) attacks, threatening to shut down their websites unless they pay a ransom. On November 30, the Financial Times reported that a group of hackers targeted three Greek banks and demanded 20,000 Bitcoin ($8.1m) from each institution.
DDoS attacks are also being used as smokescreens for other crimes. “As a bank automatically reacts against this very loud attack, criminals might be doing something around the back,” says Mr Oerting. “We need to have adaptive and flexible defences, so we aren’t just looking at where we hear noise but also our back doors.”
Mr Navetta recounts a client experiencing a cyber fraud in which an email referencing a secret M&A deal was sent to a person in accounting, purportedly from the CEO. The email convinced the accountant to wire transfer millions of dollars to a Hong Kong bank, which NRF has been trying to recover for its client; while Mr Chappell reports instances of hackers proactively seeking out digital developers to obtain pre-released versions of a bank’s website code.
Adam Ely, co-founder of San Francisco-based start-up Bluebox Security, has witnessed a rapid growth in malware targeting banks’ mobile apps. “We are at a tipping point where the banks are starting to invest more heavily in mobile technology and related security because the hackers are following them into this space,” he says.
In addition, cybercriminals are continually refining their tools. Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, says that the new bots being developed today are smaller and more targeted. “We are seeing a rise in Trojan downloaders, which drop other malware. One example is the Shylock banking Trojan, which primarily targeted UK financials. We have to adjust our strategy both legally and technically to adapt to the different things they are doing,” he says.
A losing battle?
In many ways banks appear to be fighting a losing battle, particularly when it comes to organised crime or state-sponsored adversaries. As Mr Dine says: “We are facing ‘hackers for hire’: people that are paid to hack all day specifically targeting financial institutions.”
“An underground economy has cropped up – crime as a service is a reality,” adds Mr Chappell. He reports that the more advance techniques, which usually begin in the realms of the nation state, are now appearing in exploit kits and software that can be bought online.
Launching attacks has become much easier, adds Alex van Someren, managing partner of early-stage funds at Amadeus Capital Partners. “The tools for directing various forms of attacks against organisations are becoming increasingly automated, so it is easier for people who do not know much about hacking to nevertheless be successful in building attacks against enterprises,” he says.
But while attackers are stepping up their game, the industry is responding with new and innovative defences, Mr Chappell emphasises. “Together as an industry we have become much better at sharing information on attackers and how these crimes are carried out. The types of tools and services available to defend us are also progressing – there is great innovation in this space. We are part of an ecosystem of security companies that are helping banks with these problems,” he says.
Cyber security start-ups
As an investor that focuses on cyber security start-ups, Mr van Someren believes that this space presents impressive growth opportunities. In January 2015 he founded a start-up accelerator, Cyber London, to foster a more robust cyber security ecosystem in the UK. The programme helps start-ups grow their businesses faster by connecting them with customers that might help trial their products.
He is convinced that working with start-ups is the way forward for banks. “If a bank builds something in house, only they pay for it and only they get the benefit. If a start-up builds a solution externally, other banks help pay for it and it benefits the industry more generally,” he says.
Like many other banks, HSBC has an innovation investment programme that looks for organisations with innovative technology that it can help fund as well as internalise. “This engagement helps to evolve our capabilities to thwart our adversaries,” says Mr Hales. “It informs us what is possible and allows us to test out new ideas.”
At Barclays, Mr Oerting has a particular interest in start-ups exploring blockchain use cases and intelligent authentication technology. “We need to be engaged in order to build in security that is convenient and trustworthy. This will be a differentiator in the future,” he says.
Diverse solutions
Threat intelligence and next-generation data loss prevention products are areas that Mr van Someren sees attracting interest. Amadeus Capital currently invests in Exonar, a firm that identifies and controls sensitive information flows.
A few examples of the diversity of cyber security start-ups include Tanium and Bit9 + Carbon Black, whose solutions target end-points, for example, ATMs, point-of-sale terminals, servers, desktops, laptops and cloud. According to Mr Hindawi, banks can roll out Tanium’s software for monitoring and changing end-point activity. Deployed on just one server, it can scale to millions of end-points.
Mr Johnson likens Bit9 + Carbon Black’s software to a surveillance camera. “A client can install the software on each computer in the environment and it monitors end-point activity. The client can detect suspicious behaviour, respond faster to that behaviour and remediate it,” he says.
Digital Shadows, on the other hand, provides a complete view of a customer’s digital footprint, identifying defence weaknesses and data loss. It also tracks attackers by looking at their tactics, techniques and procedures. By monitoring malware, how it is being used, the relative prevalence of different malware types and criminal techniques, clients can better align their defences to defend from those attacks, explains Mr Chappell.
And Bluebox Security focuses on securing mobile apps. The technology allows organisations to produce self-defending applications, according to Mr Ely. “If another app tries to modify the Bluebox-secured banking app, the latter can defend itself. It can respond by either shutting down and notifying the user of the problem, or preventing the attack to keep malware at bay,” he explains.
Much more than IT
In order to combat cyber threats and engage with innovative security technology, over the past two years many banks have elevated the chief information security officer to a more strategic role.
The financial sector has the highest percentage (88%) of chief information security officers, followed closely by IT/telecom (86%), according to the Governance of Cybersecurity: 2015 Report by Georgia Tech Information Security Centre. In addition, the sector increased the percentage of chief information security officers/chief security officers reporting to the CEO/chief operating officer.
“The chief information security officer role has been elevated to a truly C-level position in banks,” says Mr Hindawi. “They are being moved out of IT and placed either under the chief operating officer or report directly to the board. Even if they don’t have direct access to the board, they are often invited to give a cyber update and educate on the new existential risk.”
The chief information security officer’s remit should include policy and standards, education and awareness, intelligence and investigations, and forensics, providing the bank with a threat landscape, according to Mr Randall. He also recommends including a geopolitical analyst in the cyber team, a suggestion that may have raised eyebrows a few years ago but is more accepted today.
Barclays, for one, has adopted this management structure. Mr Oerting, who took up the chief information security officer role at Barclays in February 2015, reports directly to Michael Harte, Barclays’ chief operations and technology officer.
He drafted the bank’s first security strategy focused solely on cyber rather than an overall technology strategy. It includes four key priorities: protect the ‘data estate’, regardless of whether they are on premise or in the cloud; enable the bank to go to market in a fast but safe manner; innovate, including partnerships with accelerators and start-ups; and educate.
“Education is aimed at the whole staff, regardless of whether they work in communication, IT, a branch or HR – every employee must know that security is in our DNA,” says Mr Oerting. “I believe that culture eats strategy for breakfast. Any management can send out new strategies but if it is not in the cultural of an organisation, then employees won’t implement them.”
Barclays has three cyber centres: a security operations centre; a solutions and innovation centre, with an internal ‘white hat’ hacking team; and a security control centre, which includes third-party vendors that report to Mr Oerting. “We now have a global security system that applies to the whole bank,” he says.
HSBC has taken a different approach and drives information security risk management through the chief information security officer, which reports into the chief information officer, and a chief information security risk officer, which reports into the chief risk officer. This decision was taken following the application of an Operational Risk Management Three Lines of Defence framework.
As chief information security risk officer, Mr Hales is responsible for setting policy and strategy, and aligning both to an organisation’s risk appetite around information security incidents. He also ensures that the businesses receive independent advice and guidance regarding operational risks. The chief information security officer, on the other hand, is responsible for day-to-day operational controls and development of technical controls.
Mr Hales continually challenges existing controls, not only to see if they are working effectively, but also to ascertain if they are fit for purpose. “We research current threats, not just the ones that impact us directly but those that are materialising in other business areas that may impact us,” he says. “This includes geopolitical concerns and other non-technical areas where threats materialise.”
The interplay between the lines of defence provides HSBC with greater assurance that it is getting security right. Mr Hales says: “The design, supported by audit as the third line of defence, ensures we are better positioned to manage the risk holistically, and provides management and regulators with a greater level of assurance.”
Source:The Banker.com
Monday, 29 June 2015
RBI
06:04
Banks must follow three 'KY Principles' to prevent fraud: RBI Dy. Governor Rohit Taneja27 June, 2015
Banks must follow three 'KY Principles' to prevent fraud: RBI Dy. Governor Rohit Taneja27 June, 2015
All the public sector banks in India are adequately capitalised and are meeting their requirement but going forward they will require additional capital to meet the future growth needs and future possible problems, deputy governor of the Reserve Bank of India (RBI), R. Gandhi said at an event held in New Delhi."We have been voicing our concern about capital infusion, right now banks are adequately capitalised, that is all right but what we have been telling the banks and the government is that-going forward, keeping the future growth that is likely to come in the economy and also based on the Basil III norms, additional capital will be needed," said R. Gandhi while inaugurating the 2nd national conference on 'Financial Frauds-Risks & preventions,' organised by industry body Assocham yesterday.
On the issue of filling up the posts of CEO and MD at five large banks, the RBI deputy governor said, "That process is on and very soon the process should conclude and these posts will be filled in, the government is very seriously pursuing that."
Talking about the restructuring under the joint lending forum (JLF), the top RBI official said, "More than 200 JLF have been formed so far, it is a new system, it will take its own time to stabilise, but we are watching, we are continuously on discussion, we are monitoring, we are discussing with the banks and bankers have brought some issues that will require some tweaking of JLF, that we are working on."
He also said that though a whistleblower policy in banks from the vigilance perspective is already there, but the RBI is trying to advise the banks that they have such a policy to prevent a fraud as well.
He also said that RBI has provided the banks with list of wilful defaulters. "We have given certain instructions to the banks, but if by law it is coming then it is well and good because that will be more forceful, more enforceable and it will be more binding on all the parties, that is welcome."
"We have been continuously monitoring, we are sitting with them (banks), we are working with them, guiding them to bring in appropriate additional capital, make a provision, banks will have to tone up their recovery process," he added.
According to an Assocham's release he also said that the root cause of financial frauds can be reduced to the failure of banks to Know Its Somebody - i.e. failure to Know Its Customer, or failure to Know Its Employee, or failure to Know Its Partner/Vendor.
"If a bank has to prevent fraud, it must follow the three KY Principles. It must Know its Customer; it must Know its Employee and it must Know its Partner," said Gandhi.
The RBI deputy governor further said that banks need to invest in data analytics and also intelligence gathering to make fraud detection as near to real time as possible.
"Each bank should segment its customers based on their risk profile and transaction patterns and develop appropriate response systems for exceptional patterns noticed and fortify systemic level controls," said Mr Gandhi.
He also said that banks have to take extra care to have continuous vigil on their staff. "Background checking for antecedents, checks and balances, periodic rotations, vigilance assessments, internal audits etc. techniques will have to be employed to know the employees better and as preventive measures."
He said that if frauds are to be prevented effectively, banks have to know their partners, agents and vendors.
