1

Online banking
ONLINE BANKING HOW IS IT DIFFERENT? Many consumers today are turning to the ease and convenience of Internet banking to take care of their financial needs. With the new levels of access made possible by the Internet, people can now check the status of their finances with the click of a button. The history of Internet banking has evolved from simply allowing customers to check balances online, to now being able to trade stocks and bonds from the comfort of their own home. WHY USE ONLINE BANKING? Online banking services have grown from simply allowing customers to check balances, to trading assets. Today, banks like ING Direct are functioning entirely online, with no brick and mortar building. With the costs saved by requiring fewer employees and the lack of facility expenses, these virtual banks can often offer higher interest rates than their traditional counterparts. Internet banking gives you the power to control your finances completely. You are no longer tied down to managing your money during the hours the bank is open. If you want to transfer a balance after business hours, you can. If you have access to the Internet and have a number of recurring monthly bills, then you should use Internet banking to make your life easier.

DEFINITIONIn the 21st century there will be a lot of banking, but there will be no banks. Says Bill Gates.

The term "online banking" or "internet banking" covers both computer and telephone banking. Using computer banking, a customer either uses his computer to dials directly into its bank's computer or gains access to the banks computer over the internet. Using telephone banking, the customer can controls its bank accounts by giving the bank instructions over the telephone. Both computer and telephone banking involve the use of passwords which give access to the customers accounts. Using these methods, banking transactions can be actioned 24 hours a day. Online banking allows the person, for instance, to view recent transactions, print out statements and transfer funds between accounts and make payments. Many banks also have the facility for someone to set up, amend or cancel standing orders. Internet banking also allows payments to be made to the customer, i.e. acceptance of credit card donations. Most people that use internet banking will also continue to use some of the elements of more traditional methods of banking, such as a cheques book.

Online banking (or Internet banking) allows customers to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society.

E-BANKING IN DEVELOPING COUNTRIES Just like Internet infrastructure, E-Banking in developing countries is at early stages; however there are some exceptions where countries like: Brazil have 75% of enterprises, excluding micro-enterprises using theInternet for banking in 2005.

Morocco (34.9%). (United Nations Conference on Trade and Development, 2006), There is an increasing growth of online banking, indicating a promising future for online banking in these countries. In China, while banks issue credit cards and while many use debit cards to draw directly from their respective bank accounts, very few people use their credit cards for online payment. Cash-on-delivery is still the most popular mode of e-commerce payment. Nonetheless, online payment is gaining popularity because of the emergence of China pay and Cyber Beijing, which offer a city-wide online payment system. (Zorayda Ruth B. Andam, 2003). The Nigerian economy is largely cash-based with a lot of money residing outside the banking system. To a greater extent, this has hindered the participation of her citizens in e-commerce where e-payment is the acceptable means of settling transactions. (Ayo Charles. K and Babajide Daniel O, 2006). In Nigeria, the modernization of the payment process started with the introduction of the MICR. This was followed by the establishment of ATMs for cash dispensing, account balance enquiry and payment of utility cheques. In 1993, the Central Bank of Nigeria (CBN), introduced the use of payment cards (smartcard) and paper-based instrument. Similarly in 2004, CBN introduced a broad guideline on e-banking which included the introduction of ATM, e-money products such as credit and debit cards (Salimon, 2006). The Turkish banking sector has not only grown in numerical terms it has also expanded in terms of technology and the range of new services offered to its local and foreign customers. The sector has been viewed as the leader of technological innovations in Turkey. Although a lot of work and progress has been made in electronic banking by these countries, but these nations are still cash based economies largely. There needs to be a regulatory framework and awareness among the banks and the consumers about the benefits and drivers of such systems. Fast adoption of electronic form of banking is the need of the day for these developing nations to survive in todays hypercompetitive global world.

Online banking in India

It's the new generation of banking in India. Most private and MNC banks have already setup an elaborate Internet banking infrastructure. And this exercise has provided them numerous benefits like:

Greater reach to customers Quicker time to market Ability to introduce new products and services quickly and successfully Ability to understand its customers needs Customers are given access to information easily across any location Greater customer loyalty

Multi-national and private sector banks in India have been very successful in setting up Internet banking services. This is mainly because these banks already had a robust automated banking environment on which they could build the Internet banking infrastructure. Most multi-national banks already have efficient Internet banking infrastructures running in other countries which could be emulated in India. And the private banks, which are relatively young, did not have to carry the burden of legacy systems. They merely invested in best-of-breed Internet banking solutions from the start. In a fix Unfortunately nationalized banks have been unable to evolve as fast as most private sector and MNC banks. As a result, in many organizations there may be a mix of automated systems and manual systems, with both systems running parallel, and using half-baked

applications created by smaller vendors which run in certain departments. This creates a chaotic scenario. Network management is a nightmare, the legacy systems may buckle any moment, new users and locations keep coming up, and there are also issues of security and consolidation. This is a typical situation at a usual nationalized bank:

A very large network of branches nationwide growing fast Lack of connectivity in remote locations A very large base of customers increasing fast 75-80 percent automation in main branches with less automation in remote cities and smaller branches Large amount of legacy equipment which doesn't integrate well with other systems Inefficient and outdated applications in some departments which are not flexible and don't integrate well with other applications Slow-to-change mentality of an Indian customer who is used to dealing with a human teller

Web-enabling banks with such infrastructure and number of branches nationwide at one go is a near-impossible task. However each of the challenges can be overcome with good planning, phased implementation, and lots of grit on the part of the CIOs. The RBI steps in The Reserve Bank of India (RBI) has created a comprehensive document which lays down number of security-related guidelines and strategies for banks to follow in order to offer Internet banking. The guidelines broadly talk about the types of risks associated with

Internet banking, the technology and security standards, legal issues involved, and regulatory and supervisory concerns. Any bank that wants to offer Internet banking must follow these guidelines and adhere to them as a legal necessity. Vaidyanathan Iyer, National Manager, eSecurity Business, Computer Associates provides solutions to banks which can help them go online. He says, "the guidelines have been created with a lot of thought regarding the banking scenario in India. It is at par with international banking standards and is very comprehensive." Background The document broadly categorizes levels of Internet banking services into three types:

The basic level service in which the banks' websites disseminate information on different products and services to customers. It may receive and reply to customers' queries through e-mail. Simple transactional websites which allow customers to submit their instructions, applications for different services, and queries on their account balances. They do not permit any fund-based transactions on their accounts. The third level of Internet banking services offered by fully-transactional websites which allow customers to operate on their accounts for transfer of funds, payment of different bills, subscribing to other products of the bank, and to transact purchase and sale of securities.

Internet banking The document lays down some of the distinctive features of Internet banking. They are:

It removes the traditional geographical barriers as it could reach out to customers of different countries/legal jurisdiction. This has raised the question of jurisdiction of law/supervisory system to which such transactions should be subjected. It has added a new dimension to different kinds of risks traditionally associated with banking, heightening some of them and throwing new risk control challenges. Security of banking transactions, validity of electronic contract, customers' privacy, etc., which have all along been concerns of both bankers and supervisors have assumed different dimensions given that Internet is a public domain, not subject to control by any single authority or group of users.

It poses a strategic risk of loss of business to those banks who do not respond in time to this new technology, being the efficient and cost effective delivery.

Securitythe key concern It's evident from the document and from a general study of the business case of Internet banking, that security is perhaps the biggest concern. Connectivity issues to remote locations is also very important, but the need to be secure is far more pressing. The document says that security issues include questions of adopting internationally accepted state-of-the-art minimum technology standards for access control, encryption/decryption (minimum key length), firewalls, verification of digital signature, and Public Key Infrastructure (PKI). Concerns The key components of security concerns are

Authentication: The assurance of identity of the person in a deal Authorization: A party doing a transaction is authorized to do so Privacy: The confidentiality of data and information relating to any deal Data integrity: Assurance that the data has not been altered Non-repudiation: A party to the deal cannot deny that it originated the communication or data

If these areas are not addressed, the bank may suffer operational risk, reputational risk, legal risk, money laundering risk, and strategic risk. Chapter 6 of the report talks about technology and security standards for Internet banking. It talks about TCP/IP, the OSI Layers, and application architectures. There are guidelines for backup and recovery, list of the different types of attacks and the ways in which they can compromise a system, like sniffer attacks, DoS, and e-mail bombs. Authentication techniques like tokens, biometrics, and smart cards are described. The concepts of firewalls, proxy servers, cryptography, digital signatures, certification, SSL, and PKI are explained in detail. Security tools like scanners, sniffers, and IDSs are also described. Physical security is talked about and followed by guidelines of a security policy and a number of recommendations. The recommendations talk about access control, isolation of application servers, security logs (audit trails), penetration testing, backup and recovery practices, monitoring against threats, and education. Comprehensiveness and Indian banks The RBI guidelines are very exhaustive and extremely comprehensive. But are Indian banks following the guidelines accordingly? Experts at Global E-Secure Limited, a security solutions company say that none of the Indian banks which offer Internet banking

facilities have an IT security policy as stipulated by the RBI. While banks have been asked to file monthly reports to show compliance to the guidelines, most of them have sought time to satisfy the security policy criterion. The RBI is insisting on a written document, signed by the Board of Directors to make the banks aware that IT security is not just an IT concern, but something that could affect overall business as well. The company also says that while these banks do have security measures, there is no clear-cut program which incorporates all the aspects of a comprehensive security policy. Also, some banks do not have straight-through processing. There is manual intervention, which poses a great security risk for the customer. In order to fill such gaps, the security policy guidelines clearly lay out the areas which should be looked into. To provide a further check, the RBI is also empowered to audit the compliance to the policy. Rajeev Wadhwa, COO, Global E-Secure Limited says, "Following the release of its guideline, the RBI will also come out with a policy on similar lines. Hence, it's imperative that banks immediately act upon the same. The RBI has asked I-banking and e-trading banks to perform ethical hacking of their servers and submit their reports. Since there is no proper ethical hacking policy and methodology published in the IT-Act nor by the RBI, these banking organizations have to depend on only security specialists who have the Service Level Agreement (SLA) and a procedure in place." A practical approach IDBI Bank has successfully implemented a robust Internet banking architecture for its customers. Neeraj Bhai, the CTO of the bank says, "RBI guidelines are stringent, but not very difficult to implement if one goes about in a systematic fashion. The rule which stipulates that the bank must have a client-level certificate, is somewhat difficult and expensive to implement in a retail banking

10

scenario. The guidelines also prescribe certain functions be authorized at the Board level. This provision has potential to introduce delays in deployment." "It is not important to look at which policy is to be applied first. One has to take a holistic view. Certain prescriptions of the RBI, like having an information security policy, are general in nature and not specific to Internet banking. If an organization is alive to such issues even before launching Internet banking, things become simpler. It should be viewed as a cross-functional project and managed in a controlled fashion. Many banks make the mistake of believing that all their customers would be interested in Internet banking and therefore start enabling the service to all their customers. In reality most of such 'enabled' customers do not access the service and the banks end up loading their systems unnecessarily and spending big sums on sending PIN mailers." "Like any other product or service, Internet banking is not a one-time activity. The bank has to persuade its customers to use the service to achieve cost advantage. Since many customers do not use Internet banking, the bank has to enrich its services by additional payment tie-ups so that customers have more options. In this case, data security needs to be very thorough."

Features Online banking solutions have many features and capabilities in common, but traditionally also have some that are application specific.

The common features fall broadly into several categories-

11

1. Transactional (e.g., performing a financial transaction such as an account to account transfer, paying a bill, wire transfer, apply for a loan, new account, etc.) a. Payments to third parties, including bill payments and telegraphic/wire transfers b. Funds transfers between a customer's own transactional account and savings accounts c. Investment purchase or sale d. Loan applications and transactions, such as repayments of enrollments 2. Non-transactional (e.g., online statements, cheques links, co-browsing, chat) a. Viewing recent transactions b. Downloading bank statements, for example in PDF format c. Viewing images of paid cheques 3. Financial Institution Administration 4. Management of multiple users having varying levels of authority 5. Transaction approval process

Features commonly unique to Internet banking include Personal financial management support, such as importing data into personal accounting software. Some online banking platforms support account aggregation to allow the customers to monitor all of their accounts in one place whether they are with their main bank or with other institutions.

History

12

The precursor for the modern home online banking services were the distance banking services over electronic media from the early 1980s. The term online became popular in the late '80s and referred to the use of a terminal, keyboard and TV (or monitor) to access the banking system using a phone line. Home banking can also refer to the use of a numeric keypad to send tones down a phone line with instructions to the bank. Online services started in New York in 1981 when four of the citys major banks (Citibank, Chase Manhattan, Chemical andManufacturers Hanover) offered home banking services using the videotex system. Because of the commercial failure of videotex these banking services never became popular except in France where the use of videotex (Minitel) was subsidized by the telecom provider and the UK, where the Prestel system was used. The UK's first home online banking services was set up by Bank of Scotland for customers of the Nottingham Building Society (NBS) in 1983. The system used was based on the UK's Prestel system and used a computer, such as the BBC Micro, or keyboard (Tandata Td1400) connected to the telephone system and television set. The system (known as 'Homelink') allowed on-line viewing of statements, bank transfers and bill payments. In order to make bank transfers and bill payments, a written instruction giving details of the intended recipient had to be sent to the NBS who set the details up on the Home link system. Typical recipients were gas, electricity and telephone companies and accounts with other banks. Details of payments to be made were input into the NBS system by the account holder via Prestel. A cheque was then sent by NBS to the payee and an advice giving details of the payment was sent to the account holder. BACS was later used to transfer the payment directly. Stanford Federal Credit Union was the first financial institution to offer online internet banking services to all of its members in October 1994. Today, many banks are internet only banks. Unlike their predecessors, these internet only banks do not maintain brick and mortar bank branches. Instead, they typically differentiate themselves by offering better interest rates and online banking features.

13

Security

Security token devices Protection through single password authentication, as is the case in most secure Internet shopping sites, is not considered secure enough for personal online banking applications in some countries. Basically there exist two different security methods for online banking. The PIN/TAN system where the PIN represents a password, used for the login and TANs representing one-time passwords to authenticate transactions. TANs can be distributed in different ways, the most popular one is to send a list of TANs to the online banking user by postal letter. The most secure way of using TANs is to generate them by need using asecurity token. These token generated TANs depend on the time and a unique secret, stored in the security token (this is called two-factor authentication or 2FA). Usually online banking with PIN/TAN is done via a web browser using SSL secured connections, so that there is no additional encryption needed.

Another way to provide TANs to an online banking user, is to send the TAN of the current bank transaction to the user's (GSM) mobile phone via SMS. The SMS text usually quotes the transaction amount and details, the TAN is only valid for a short period of time. Especially in Germany and Austria, many banks have adapted this "SMS TAN" service as it is considered as very secure.

14

Signature based online banking where all transactions are signed and encrypted digitally. The Keys for the signature generation and encryption can be stored on smartcards or any memory medium, depending on the concrete implementation.

Attacks Most of the attacks on online banking used today are based on deceiving the user to steal login data and valid TANs. Two well known examples for those attacks are phishing and pharming. Cross-site scripting and keylogger/Trojan horses can also be used to steal login information. A method to attack signature based online banking methods is to manipulate the used software in a way, that correct transactions are shown on the screen and faked transactions are signed in the background. A recent FDIC Technology Incident Report, compiled from suspicious activity reports banks file quarterly, lists 536 cases of computer intrusion, with an average loss per incident of $30,000. That adds up to a nearly $16-million loss in the second quarter of 2007. Computer intrusions increased by 150 percent between the first quarter of 2007 and the second. In 80 percent of the cases, the source of the intrusion is unknown but it occurred during online banking, the report states. The most recent kind of attack is the so-called Man in the Browser attack, where a Trojan horses permits a remote attacker to modify the destination account number and also the amount. Counter measures There exist several countermeasures which try to avoid attacks. Digital certificates are used against phishing and pharming, the use of class-3 card readers is a measure to avoid manipulation of transactions by the software in signature based online banking variants. To protect their systems against Trojan horses, users should use virus scanners and be careful with downloaded software or e-mail attachments. In 2001 the FFIEC issued guidance for multifactor authentication (MFA) and then required to be in place by the end of 2006.

15

Advantages of online banking1. Easy Account Maintenance Number one on the advantages of online banking list is easy account maintenance. Online banking makes it easy to keep track of your balance and the activity of your accounts. For those who have multiple accounts with the same bank, many online banking systems allow for you to see the balances of all of your accounts on a single screen. You can also easily go back and forth between your accounts and monitor their activity with little to no hassle. 2. Online Bill Payment Probably the most widely used advantages of online banking is the ability to pay bills online. Most online banking systems feature this capability, allowing for you to enter in your account information for your billers, to pay them directly from your bank account. A lot of banks even allow for recurring payments to be set up for those bills that remain the same each month such as mortgage, rent, car, and personal loan payments. Depending on the relationship your bank has with the biller your payments can be automatically debited from your account or an electronic check may be drafted and mailed to the biller. Any way you look at these are all advantages of online banking: save you time, save money on postage, and provide the opportunity to avoid late fees with careful planning. 3. Online Balance Transfer At some point you may find that you have to make a purchase and do not have enough in your checking account to cover it. However, you may have the funds needed in another account such as a savings account. One of the advantages of online banking is the ability to transfer funds from one of your accounts to another. This online banking feature helps to prevent insufficient funds, return check, and overdraft fees on your account(s). A word of advice about transferring from your savings account, try to keep this type of online banking activity to a minimum. Federal regulations prohibit an excess of six transactions from occurring on a savings account within a billing cycle. 4. Account Alerts

16

Another one of the advantages of online banking is the availability of setting up account alerts. Some banks offer account alert set up, where an email or even text message can be sent to you based upon certain criteria you select. For example, if you have a recurring bill payment where an electronic check is drafted and mailed, you could set up an alert to be sent to you advising when the bank has mailed out the payment. Other alerts include, weekly activity alerts, statement alerts, and low balance alerts. These alerts work to make monitoring your account easier. 5. Rewards for Going Paperless With all of the focus on going green these past few years, the last in the advantages of online banking list deals with rewards for going paperless. A lot of banks offer rewards in the form of rewards points or cash to help reduce the amount and cost of paper consumption. By opting to receive your bank statements online, increasing the use of online bill payment, and using your bank card more frequently your rewards could rack up significantly and you'd be helping out the environment in the process. The advantages of online banking are increasing every year. Banks realize the potential for savings with the increase of online banking. You will realize the convenience and cost effectiveness to your budget as you see the money and time saved by taking advantage of the online banking increase.