Clari5

How can RBI’s latest guidelines help Indian banks combat cybercrime?

Rising cybercrime in India is no secret. According to a report by Symantec, India now ranks 3rd in the world, after the US and China, as a source of malicious activity. In fact the National Crime Records Bureau data reveals that in the three years up to 2013, registered cases of cyber crime were up 350 percent, from 966 to 4356. Dubious distinctions both, and give banks and the financial sector in India cause for worry.

Keeping in mind the dramatic swell in online economic crimes, India’s central bank – RBI (Reserve Bank of India) recently issued a comprehensive circular to all banks in India urging them to implement a cybersecurity framework. It prescribes the ideal approach for banks on taking concrete measures to combat cybercrime, fraudulent activities online and thereby retain customer confidence, reduce financial losses and ensure business continuity.

Cybersecurity measures for banks as outlined by RBI’s circular

In light of the rising frequency and impact of cyber attacks, the RBI circular to banks urges them to take adequate measures that are robust and resilient which address and tackle risks posed by cyber criminals, and in the meantime also put in place an adaptive Incident Response Management and Recovery framework to deal with adverse disruptions if and when they occur.

The foundation for fighting cyber crime would stem from a Bank Board approved cyber security policy that outlines the approach for combating cyber crime. This policy is not to be confused with the IT policy or IS security policy and its strategy should encompass some of the following:

  • Identify and assess risks, technologies adopted, regulatory compliance, delivery channels (online/ mobile, etc.), organizational culture, internal and external threats, and processes and policies in place to manage and combat risk
  • Continuous surveillance by testing for vulnerabilities through a SOC (Security Operations Centre) that is constantly updating on the nature of emerging cyber threats
  • IT architecture to be conducive to security measures to be implemented by the bank post assessment of readiness and ensure that network connections to database are allowed through a well defined process and by authorized personnel only
  • Ensuring the confidentiality, integrity and security of customer data is preserved, without any compromise of the same
  • Formulating a Cyber Crisis Management Plan (CCMP) whose primary focus should be: detect, response, recovery and containment to address various types of cyber threats including and not limited to: distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, ‘zero’ day attacks, remote access threats and more.

 

Baseline Cybersecurity requirements – an indicative list

Banks need to fortify the measures adopted to achieve baseline security and resilience. For instance:

  • monitor logs and incidents in real time or near real time
  • configure hardware and software appropriately
  • automate network discovery and management
  • use the right tools and mechanisms to detect unusual activities in servers, end
    points and network devices
  • protect customer access credentials such as logon user-id, authentication information and tokens, access profiles, etc. against leakage/attacks
  • implement controls to minimize invalid logon counts, deactivate dormant accounts
  • monitor any abnormal change in pattern of logon

The RBI circular mandates a detailed list of cyber defence apparatus. It is evident that a large majority of these measures and requirements can be fulfilled by robust software tools and products that are built for specific purposes. But banks must also remember that from a day-to-day operations’ perspective, it is imperative to have a system that monitors, tracks, alerts and preempts any anomalies that occur in banking transactions, in real time.

“Detect and prevent” as it happens and not wait for end-of-the-day reporting of incidents that are suspicious. In fact RBI’s circular lists out the implementation of risk-based transaction monitoring or surveillance process as part of fraud risk management system across all delivery channels.

In addition to optimizing available technology to strengthen controls for effective risk and fraud management, banks need to conduct employee and management awareness workshops, encourage them to report any suspicious behavior to the incident management team, and conduct targeted training for key staff in operations/ management roles and evaluate awareness periodically.

In parallel, banks need to conduct awareness programmes for their customers and encourage them to report phishing mails/ phishing sites, highlight the risks of sharing their online account credentials, passwords, and other measures they can take to protect themselves from fraudsters and people with malafide intent.

The RBI circular also touches upon the topic of governance aspects which include dashboards, intelligence, proactive monitoring and management capabilities with sophisticated tools for detection, quick response and backed by data and tools for sound analytics.  In addition, banks must keep in mind several other issues while equipping themselves to fight cyber attacks: technology issues, people related issues and process related issues.

It would be fair to assume that if Indian banks were to proactively implement an intelligent, cross-channel anti-fraud defense mechanism, the impact of cybercrime (if/when it occurs) can be vastly minimized.

 

Source: RBI Circular of June 2016

Redefining starfish banks with use cases

Cross channel scams are the most pervasive form of frauds perpetrated against bank customers. Fraudsters target customer accounts by a number of access points- branches, ATM, cards, online banking or wire transfers. With multiple channels leading to multiple access points, installing adequate combat mechanisms takes a backseat, thus expanding the attack surface. Consumers have been steadily using mobile phones, cards and Internet banking, mainly relying on good faith in financial institutions. But as scams become more complex and less predictable, banks need to keep a tight vigil against fraudsters targeting across multiple channels. Banks need to break free from the traditional ‘Starfish’ approach of combating fraud in silos; they need to actively base their combat mechanism on cross-pollinated intelligence that runs across multiple channels.

Let’s assume a scenario to better validate the above points.

Jamie is a budding photojournalist. She stays in a paying guest accommodation in Mumbai. She is an intern with a well-known magazine. Normally, she receives her salary on the last day of every month and pays her rent on the 1st. She saves the rest of her salary for paying off her expenses throughout the month and manages to save some money for her impending Euro trip. This time though, soon after her salary gets credited, there is an entire salary debit on 1st. By the time the bank and Jamie get to know about this fraudulent transaction, the entire money is lost. The bank fails to recognize this transaction as a fraudulent one.

The scenario discussed above could have easily been averted had the bank implemented a unified cross-channel fraud management system. Jamie wouldn’t have lost her salary. The bank wouldn’t have let the abnormal transaction to go through without additional levels of authentication across different channels.

Traditional fraud management solutions employed by banks have silo based systems that have the ability to monitor and detect fraud only for a single channel/product at a time e.g. credit card fraud detection, Internet banking fraud detection etc. Even the systems credited for being multi-channel managed frauds on multiple channels but not across multiple channels. An ideal cross-channel fraud management solution not just monitors and prevents fraud on multiple channels but also has the ability to correlate the intelligence gathered from one source system to the events happening on other channel to detect and prevent fraud.

To know more on redefining starfish banks with the help of use cases, download our entire white paper here or 

Combating Cross-channel Fraud

Combating Cross-channel Fraud 

Banks throughout the world are recognizing that fraud has become sophisticated and more and more pervasive. Potential projected global fraud losses related to occupational fraud are estimated to be more than $3.5 trillion.

While direct losses due to fraud are startling, the actual loss incurred is much higher in terms of loss of productivity, loss of customer confidence and attrition, notwithstanding losses due to fraud that goes undetected. Attacks against operational systems and infrastructures such as online banking and e-commerce can result in direct loss of business or revenue. Any kind of intrusions into information systems can result in massive theft of sensitive data or customer information.

Such enormous pressure on banks from fraud incidents and financial crime comes at a time when financial services organizations must deal with a new and expanding regulatory environment. Thus, the current environment is putting the banks’ fraud management capabilities into question.

Traditional fraud management systems have never been able to keep up with the sophistication of fraud across channels. The combat systems work in silos similar to a starfish and have the capability of monitoring frauds across only a single channel at a time. Thus, such systems are ineffective at identifying and combating cross-channel frauds. Banks should move away from silo based systems to take into account channel-specific fraud management techniques that have the ability to share information with other channels for combating cross-channel fraud.

The Problem with Current Fraud Management Solutions

Fraudsters on the prowl are constantly increasing their sophistication level rendering many fraud detection systems ineffective at identifying fraud. While rules-based systems are adept at spotting fraud patterns, it runs the risk of flagging many legitimate customers while fraudsters can use trial and error to discover ways to circumvent the system.

In addition, too many false positives, lack of speed in transaction authentication and inefficient investigative processes drive up operational costs, as banks are forced to increase spending on enterprise financial crime management against sophisticated attacks.

The amalgamation of organized crime and new and ever-changing types of fraud – in addition to heightened regulatory requirements – have led banks to pursue new techniques for preventing and detecting fraudulent activity.

According to Deloitte, around 30 percent of their survey respondents indicated that it took them 6-24 months to detect fraud. Close to 22 percent of survey respondents said they could recover only up to 25 percent of the fraud loss amount. These statistics indicate a move towards reliance on multiple channels, including technology based channels, to detect fraud, as indicated by a significant percentage of respondents.

Thus, moving over to advanced fraud management systems that overcome all these challenges is vital. Any negligence in awarding this area proper attention would ensure financial, reputational, and punitive risks.

Fighting Fraud

The challenges discussed above have led to the extreme need of discarding age old fraud management systems that follow the starfish approach of working in silos, without any sharing of real-time information across different channels. Banks have a variety of risk functions to identify different kinds of risks. Each risk function varies in capability and how it coordinates with other risk functions. A central goal, and challenge, of any fraud management system is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization’s ability to manage risks effectively.

To know more on combating cross-channel frauds, download our entire white paper on this page.

 

Fraud Landscape In Africa – The Pervasiveness of Online Fraud

Fraud Landscape in Africa

Financial Fraud has perpetrated the banking industry in big way. As more people use the Internet for their banking needs, the number of fraudsters eyeing online financial transactions has also multiplied. In Africa particularly , online fraud has proved to be one of the most pervasive forms of financial fraud and is hugely impacting the fraud landscape.

 This infographic below details out the fraud landscape in Africa and how use of innovative anti-fraud technology mitigates & prevents frauds from taking place in real-time.

Changing the Indian Banking Fraud Landscape with Real-time Fraud Prevention Technology

Banking fraud is a $3.5 Trillion global menace. Indian Banking Fraud number instances have increased considerably over the past few years. This surge in banking fraud has not only resulted in banks losing millions but also sustaining irreparable reputational damage. With such attacks becoming more frequent, RBI has mandated banks to comply with recommended measures to secure the technology infrastructure and improve fraud risk management practices for frauds across channels. There is thus a growing need for banks to incorporate strong combat mechanism for not only detecting but preventing frauds in real-time.

The infographic below highlights recent trends in the Indian Banking fraud landscape and how implementing real-time fraud management technology would combat such frauds in a fool-proof way.

 

Find the truth about your Customers, yourself!

In an age where even scientific discoveries are turning out to be unreliable, scientists, of course state that these are “self correcting” and therefore in the long run, the truth shall prevail, businesses have something to worry about, mainly so because they need to take quick decisions based on the information they have available today and cannot wait till a more “accurate” version of the truth arrives tomorrow. To take a parallel in the medicine industry, many times wrong diagnosis has harmed businesses more than wrong strategy.

Here are a few reasons why research goes wrong in today’s world:

  • An interconnected world allows access to analysis in one part of the world, everywhere else. However conditions and assumptions underlying the analysis may not apply to your case

  • Hype about new media, like Facebook, Twitter and Mobile forces advertisers and marketers to embrace these channels so that they can brag about the logos. However, the ROI for the same may not justify the effort depending on how frequently decision makers in your segment access these channels

  • More data, more complexity – news gatherers try to hide the complexity of findings and analyses in simple terms, so that content is easy to read and generates more page views. However, only getting to the source of the content would tell the reader about the constraints and assumptions as well as the statistical probabilities observed

  • Terminology – different terms mean different things in the same language with the same industry. For example, a “savings account” could mean an fixed term deposit in the UK, whereas it means an interest earning demand deposit in India. An analyst reading about trends in savings accounts could make wrong interpretations owing to this

In summary, either

  • the third party research does not mean what you think it does, or

  • it isn’t relevant in your context, or

  • it works – and if it does, it’s more likely a fluke that’s not guaranteed to provide repeatable results

The solution?

  • do your own research

  • implement strategy based on this research

  • implement a feedback loop that proves / disproves your hypothesis

  • rinse and repeat

In the banking industry, it is more important than ever to not rely on trends, news sources and so called “independent” studies that are not validated for your customers, your business environment and your products based on your own data.

If you are a leading bank, you already have a huge amount of transaction data ready to be mined in real time. To find out how you can perform your own research to retain valued customers and maximize revenue, contact CustomerXPs at clari5@customerxps.com.

By Alok Kumar

Alok Kumar is Product Line Engineering Manager at CustomerXPs

He can be reached at clari5@customerxps.com

CustomerXPs offers real-time, intelligent products that empower banks with instant insights enabling influenced outcomes of deeper customer engagement and fraud-free transactions.