The aim of this report is to provide a management view of the current picture of electronic banking with the focus on many related issues and the latest best practice to approach them. The target audiences therefore are management of the banking industry. The issues faced by banking industry while adopting electronic banking as a delivery channel are three fold: Customer Acceptance, Security and Competition. Since the threat of security compromises is a real concern for many banks today (A.K. Pennathur, 2001), Security will somehow drive the theme of this report.
The report has two parts. Part A is written by Deji as a brief history of electronic banking. In this part, a brief history of electronic banking will be presented which is necessary for the development of the report towards security risks and the management approach to them.
Part B of the report is prepared by Kenfi with the focus on a secure and robust electronic banking system. Management at any level or position will be equipped with knowledge about the risks inherent in electronic banking, in a systematical way. More importantly, management will be introduced with a standard framework to build a robust and secure electronic banking system. This body of knowledge will prepare for manager to actively and confidentially participate in managing electronic banking. Further discussion about return on investment and risks management will enrich the knowledge required for managers to successfully take advantage of electronic banking as a future channel of the banking industry.
The report uses many resources ranging from study cases, e-journals and scientific literature to construct the content and emphasize its aim. Due to limitation in time and vision, this report may not successfully meet the current demand of management for a guide in electronic banking. However, the authors hope that the report has showed the effort and initiative of its authors in order to construct a useful reference for managing purpose and last but not least, as an accomplishment of the module Electronic Business and Commerce.
Electronic Banking into the Future
Understand Electronic Banking
E-banking is defined as the automated delivery of new and traditional banking products and services directly to customers through electronic, interactive communication channels (Federal Financial Institutions Examination Council, 2003).
The "E" can mean anything electronic like the Internet, telephone, television and things that can perform a function electronically, at such customer have access to their account, transfer fund, make payment, make enquiries and so many more just by the connection through an E-channel.
The Evolution of Electronic Banking
Until the early 1970s functional demarcation was predominant with many regulatory restrictions imposed on financial sector (Delving 1995), E-Banking has developed since the late 1970s from just virtual insignificance to many users worldwide. However, Electronic Banking is the product of different types of electronic transactions.
Mainframes were the earliest applications of computer within the banking sector which are mainly use for calculations, and later minicomputers as a result of advancement to process bank inventories, customer accounts, personnel records and accounting which later became the spreadsheets. The use of all these technology was to help bankers deliver their work faster, more conveniently and with less errors so as to deliver good customer services which brought competition and pressure on banks as different banks need to deliver the best service to maintain a competitive hedge,
According to the survey conducted by Techweb News found E-banking to be the fastest growing commercial activity on the internet, 13 million Americans carry out some banking activity online on a typical day which is a 58% jump from 2002. (see figure)
The advancement brought about the evolution of various E-banking elements mainly to cut down the cost of transaction and to speed up payments. This led to the development of specialized elements such as: Automated Teller machine (ATM), Electronic Point Of Sales (EPOS), Mobile/Telephone Banking, PC banking, E-banking Kiosk
Automated Teller Machines (ATMs):
In 1968, ATMs were the earliest well-known machines to give electronic access to customers in a public space without the need for human help, it is available 24-hour which give consumers the opportunity to access his/her bank account almost any time, from being mere currency dispensers they now have multifunctional attributes which enables customer perform a wide range of transactions like account management, fund transfer, bill payments which brings about the development of Electronic cards such as : Credit/Debit cards
They are virtual money cards with stored-value of money such, they have specific amount of credit embedded electronically in the card, these cards can be used to make payments, Transfer money and pay for bills, as a result they make the transaction fast, easy and convenient.
Electronic Point Of sales (EPOS):
The next step in providing direct customer service came with the extended use of credit and debit cards in merchants' shops through EPOS (electronic point of sale) to basically make payments mainly to cut down the cost of transaction and to speed up payments. This led to the development of specialized products like corporate cash management systems.
PC banking superseded the ATMs in the sense that it allowed users to interact with their bank by means of a computer, Instead of having to locate the ATM or EPOS this time, Consumers can view their account balances, request transfers between accounts, request bank statement, View banking information and pay bills electronically from home with the use of their account information and some details provided on their Electronic cards, This has to do with connection through the Internet using the dial-up or broadband internet technology to access the bank information systems.
This evolution eliminates the need to deposit Checks into bank account personally by customers, with the development of the banking kiosk which can perform the duty of a bank worker by accepting checks deposit, kiosk can also perform personal enquiries by allowing you to check your account balance, print a mini statement and make checks book requests, connects to the internet and carry out transactions through e-banking.
Telephone banking used to be a situation where users call their bank's information systems with the use of landline telephones and use the phone keypad to perform transactions and make enquiries by following programmed instructions and answering some questions, the advances in telecommunication technology have helped in this area of electronic banking known as mobile banking, customers can access their account through Wireless Application protocol (WAP), Wireless is estimated to be growing at more than three times the rate of landlines globally. With the number of connections estimated at 2.6 billion at the end of 2006, and expected to cross 4 billion by this year, mobile banking is set to become a major delivery channel. Some banks are making significant investments in mobile systems to deliver business activities so as to increase efficiency and reduce cost, to improve operational effectiveness and customer services.
Hoang: Online banking open up new market for banks. Banking products are becoming commodities as consumers gain access to more powerful search and comparison tools on the Internet. The ubiquity of the Internet opens up new horizons for banks to move from local to perhaps even global frontiers. For example, a homeowner searching for the lowest mortgage rate needs only log on to the Internet and be almost instantaneously granted several competing offers. The entire mortgage approval transaction can be conducted from start to finish without any face-to-face contact, and indeed, many homeowners have done exactly this. To this end, the Internet levels the playing field between local and national banks and, to some extent, services do become commodities. (Pennathur, 2001)
Electronic Banking Components
There are various components that contributes to the functionally of the various Electronic banking elements mentioned above which are
Email and internal networks communication systems, ATM, servers for net-banking, Storage area networks (SAN) and Item processing equipment such as MICR coders ATM.
Core banking processing system, Operating systems, E-banking applications such as bill pay, system performance monitoring, automated decision support systems, and intrusion detection systems.
Programming support, security management, Network administration, firewall configuration and management and Configuration management.
disaster recovery services and Website design and hosting.
Hoang: a transactional Web site is an Internet Web site of a bank that allows customer to initiate interaccount transfers.
an Internet bank is a bank that offers a transactional Web site.
An Internet bank is different from an Internet-only bank which is distinguished by a lack of physical branches.
Internet-only strategy will not be profitable (DeYoung 2001a): pure-play bank is not a financially viable business model. But interent is a strategic choice for banks.
Impacts of e-Banking
According to Carol Sergeant Financial Services Authority (29 March 2000), Experience in Scandinavia (arguably the most advanced e-banking area in the world) appears to confirm that the future is 'clicks and mortar' banking. Customers want full service banking via a number of delivery channels. The future is therefore 'Martini Banking' (any time, any place, anywhere, anyhow). Banks were known to be branch-banking model with two basic competitive advantages; namely, brand name and customer relationship. The advancement in information technology has turned around the banking system and will continue to influence future banking trends.
Competition in the banking sector is determining the success of a bank by ability to deliver innovative products and services in a technologically advanced way that meets the changing needs of the customer. This have some Positive and negative impacts on the normal traditional banking.
Changing customer profile:
Initially customers only change bank account at extreme cases but now it can be done at the click of a mouse, by surfing the internet for information provided by the banks. The cost of changing bank account is very low in the case of electronic banking which reduces customer loyalty and on the other side there is overload of information, at such they get confused of whom they are dealing with and on what basis which leave them open to scam and fraud
Market Transparency: Due to the easy availability of information, banks can get information about new innovative products offered by competitors, accelerating product standardization and commoditization
Cross-Selling: with the availability of customer banking trends and preferences, banks have the potential to cross-sell other financial products and services once they are able to identify the customers want by the information available on the internet.
Choice and convenience for customers : As customers want better choices, providing unique services is an approach that will retain customers, There is importance in human touch for customer (Avkiran,1999), banks need to develop personal relationships with customer because there are some services that are needed by customers that cannot be automated. Data mining technology can help in identifying customer needs.
Attracting High value customer: With good customer services provided by banks through e-channels, high profit customers are attracted which brings more income for the banks because most of them are using online channels for different kind of transactions
Enhanced Image: One of the many advantages that the internet banking has over the traditional banking is that it is effective and dealing with thousand of customers within a short period of time is no problem. Because E-banking is a customer focused organization, an attractive banking website with wide range of innovative products will enhance bank image which also help in effective e-marketing and attracting customers.
Increased Revenue: The cost of running the bank in terms of expenditure is lower which has influenced higher profit margin of the bank, cost of running E-banking channels becomes cheaper that the normal traditional banking and it also brings about possible increase in number of customers, customer retention and cross-selling opportunities.
Easier Expansion: Customers now enjoy the benefit of bank accessibility round the clock, regardless of their location, receive and send money through their account within seconds, apply for a loan, buy or sell stocks and can even open new accounts because there is no little or no geographical boundaries, There is no need to build branches with is usually expensive to start up and maintain, e-channels can be offered in another area where the bank is not located.
Since E-Banking is a technology that provides many capabilities, it also has so many potential problems; users somehow find it difficult to use the system because of the fear of security. Online banking security issues have become one of the most important concerns of the banks affecting areas like: government, businesses, banks, individuals and technology.
Government: Electronic Banking system poses a threat to the governmental regulatory laws. E-Banking also brings about concerns in requirements of the bank reserve, deposit insurance and the consumer protection laws attached with e-transfer of money.
Businesses: Businesses also have some concerns about this media of interaction. There is always huge transfer of money which is most done by businesses, they become seriously concern about the safeness of their money and at this same time the media have the potential to save time and financial charges(physical deposit usually attracts bank charges)associated with it because if workers are employed to attend to customers they need to get paid. Another businesses concern is related to the customer. There are some customers that will not transact businesses because it does not offer some payment methods e.g. e-transfer and debit cards which usually result to loss of customer, On the other side, if this system is widely spread and used, it pushes more buying power to the consumer which makes businesses see the reason to allow wide range of e-transfer system.
Banks: As competition rises banks are pressured from other financial institutions to deliver a value added financial services to their customers. Profits are made by banks by handling financial transactions, by charging customers for some transactions and by investing the money held from customers deposit in other areas which is known as "spread", The security of the bank's system is a big concern to them as most of the e-transactions are being processed by their central computer systems
Individuals: For individuals concerns are probably too much information and not understanding whom they are really dealing with and on what basis, they in this case are vulnerable to scams and frauds. Security of the system is most time the concern of individual, mainly with the unwarranted and unauthenticated access to their accounts, customers are also concerned about the confidentiality of their personal information. Banks have to make sure that the customers receive assistance quickly if they need help. major problems or disastrous without quick reactions by the bank can destroy the image of the bank easily. Customer should be made to trust online banking by showing Internet is reliable. Some privacy technologies related to the electronic banking industry are electronic cash and electronic checks which will be discussed in the software solution section.
Technology: To enable secure and effective banking transactions, there are three major technology issues that needs to be resolved which are
- Security: Security of the transactions is the primary concern of the Internet-based industries. The lack of security will leave the banking system open to serious damages, more on security issues will be discussed in the next chapter, E-banking system are usually open to potential hazards during transferring funds, on-line transactions, and minting electric currency, etc.
- Anonymity/Privacy: Customers and other banking partners are seriously concerned about sending confidential and personal information through the e-channels; so much focus on strengthening the area of privacy technology will ensure the secrecy and security of the transactions, private information such as the date and time of the transaction, the amount of the transaction, and the name of the merchant or customer where the transaction is taking place are related to the banking industry and needs to be taken care of.
- Authentication : Transactional website will expose a e-banking system to higher risk since they permit transfer of customer information and funds which have direct linkage to the bank's information systems, a very high control is needed because unauthorized access in this kind of environment may lead to fraud or system disasters, Authentication Encryption may help in this case as The bank may be liable for unauthorized transactions and losses from fraud and unauthorized access to confidential customer information during transmission or storage.
Hoang: Emphasize the focus of the essay: survey of 23 banker members of the American Bankers' Association board of directors identifies technology concerns as one of the the top five issues bankers expect to wrestle with during 2001 (Streeter, 2001).
Demographic indicate that young affluent customers are the most likely to use online services, and consequently, there is an increased focus on developing a strategy to target this clientele.
Financial Performance and Risk:
What is the effect of the adoption of Internet banking on the bank's performance?
- effect on expenses and profitability.
- risk: more or less compared to the non-internet banks? (focus of the essay)
Which factors a bank may consider in its adoption decision?
- markets with a highly-educated population is more likely to have customers that will bank through the Internet.
- the competitive situation in its banking market: banks that dominate their market will be among the first to introduce Internet banking. (Pennathur, 2001)
Managing a Robust Electronic Banking System
Since the threat of security compromises is a real concern for many banks today (A.K. Pennathur, 2001), it will also drive the theme of this report. In this part, a more systematic approach to electronic banking will be discussed. After positioning the risks, management will be benefited by having a look at a secure electronic banking system, both technically and operationally.
Along with the benefits, electronic banking carry risks for banking organizations, and these risks must be balanced against the benefits (Basel Committee, 2001).
In this section, the report will review many risks inherent in online banking, grouped into four categories of risks including Operational/Security, Legal, Reputation and Traditional banking. Where it is necessary, the report also briefly discusses some of the approaches to the risks mentioned, especially security risk.
Security can be compromised via both internal and external operational networks.
Internally, security is risked by an unauthorized use of the computer by a bank employee who can then manipulate data to alter account balances, to misappropriate funds, or to perhaps wipe out a friend's loan account.
DDoS and Bruce-force attack
A bank can be externally hacked into and account information can be stolen, or the bank website can be shut down via a DDoS attack (Distributed Denial of Service attack).
To enhance security, two-factor authentication had been introduced. Pin calculator - also called PIN cards or (hardware) token - which generates dynamic PINs is an example. Customer is required to not only know something (secret PIN) but also have something (PIN calculator which will be activated only by the secret PIN known only by the customer) to carry out a transaction.
By successfully combining simple brute-force attacks with distributed denial-of-service (DDoS) attacks to exploit a bank's login procedure, attackers not only gain access to a few accounts, but also prevent numerous legitimate customers from accessing their accounts. Such a combined attack is also effective when the bank's customers use PIN calculators. Possible solutions include exploiting PKI Infrastructure (Public Private Key Infrastructure) and simply, yet effectively, just designing/increasing the length of the PIN based on future provisioning of the numbers of customers (Hole et al, 2006).
Banks also face the threat of viruses that can be placed in the bank network.
In this scenario, a hacker obtains confidential information and then cyber-exhorts the bank with an offer to sell the information back to the bank.
Smaller banks outsource their web operations. Outsourcing adds an additional burden of monitoring by the bank, as internal controls may not extend to vendors who perform critical functions. This operational risk is defined as the potential for loss due to significant deficiencies in system reliability and integrity (Basel Committee, 1998).
Other security risks include:
Hardware and/or software failures, disruptions, protections, system, or database compromise. These are all included in administrative concerns.
- Inadequate controls, policies, procedures also create operational risk.
- Technological obsolesce is also one of the risk faced by banks.
- Customer misuse, either intentional or unintentional, also impacts operational risk.
There seems little doubt that the way of the future is the increased use of online banking facilities as the technology is evolving and changing rapidly. But as the usage increases, so do the risks. The next group or risks
Legal risk can arise due to violation of laws, rules and regulations.
Reputation risk is the consequence of operational risk and legal risk. It could be any security breaches and fraud or simply problems of customer dissatisfaction with online services. For example, spoofing can lead to loss of trust between the customers and the bank.
Traditional Banking Risks
Traditional banking risks include interest rate risk, credit risk or liquidity risk. These risks can be exacerbated for a bank that has a significant online lending and/or transactions presence.
Major source of risk is credit risk, similar to non-internet banks
The Basel Committee has identified 14 risk management principles for electronic banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities (Basel Committee 2001, see Appendix 1).
A Secure Electronic Banking System
Basically, a secure Electronic Banking System requires a secure communication channel between the banks and customers. Mechanisms to protecting the bank network from external network and to authenticate customers respectively.
A Secure Communication Channel
A group of three cryptographic protocols are used to encrypt the communication between the bank and its client, including SSL, TLS and WTLS.
Secure Socket Layer (SSL) is a protocol
The IETF adopted SSL for its Transport Layer Security (TLS) protocol. Basically,
TLS was adapted by the WAP Forum into Wireless TLS or WTLS in order to
Conceptually, all three protocols are for the same purpose: a secure channel between client and bank. With regards to the CIA model, a useful framework for those thinking about security aspects within their organizations (Chesher, Kaura and Linton, 2003), the three protocols make sure data transferred between both parties will be kept secret (C - Confidentiality) and tampering will be detected (I - Integrity).
Non-repudiation prevents an entity from denying previous commitments or actions. For example, a bank should be able to prove to a third party that a user performed a certain transaction, in case that user denies having performed it (Claessens, 2002).
One advantage of the mentioned group of cryptographic protocols is that it can be easily used under almost any communication protocols. However, it does not provide non-repudiation therefore an electronic banking system should implement a non-repudiation mechanism on top of this secure communication channel. (Example?)
Protecting the Internal Bank Network
Filtering router or a firewall forms a barrier between the outside Internet and the internal bank network (see Figure).
Along with an encrypted communication channel, authenticating clients is also crucial to a secure electronic banking system. The report will discuss methods used in electronic banking system to authenticate clients in this section.
Password and PIN
Password and PIN is still the dominant method to authenticate users accessing electronic banking system. The reason is the unarguable ease of use and implementation of this method across many kinds of systems. As a one-factor authentication,
What about TAN?
Instead of sending a secret knowledge to the bank, customer can instead response to a random challenge based on that secret and by that successfully identify him to the bank.
There are two types of challenge/response schemes: symmetric and asymmetric. An example of asymmetric challenge/response is ... .
Public Key Cryptography
Public Key Cryptography is the base of any Public Key Infrastructure (PKI). PKI is a strong means of customer identification in which each customer own a key pair: a public key and a private key.
Public key is an electronic value used by banks to identify customers. A private key is related to the public key mathematically and can be authenticated by the public key. As the name mentions, private key will be accesses only by the customer. The private key is used to create an electronic identifier called digital signature which uniquely identify the customer (see Figure for example of an authentication session between a customer and her bank.)
The certification authority (CA), which may be the bank or it service provider, issues digital certificates which verify that a particular public key and the corresponding private key belongs to a specific individual or system (Sklira et al, 2003).
An example of CA is... .
Token based methods require customers to demonstrate their possession of a physical object (a token) that is unique to them. As one part of the two-factor authentication, token strengthens the security and therefore can be employed by all of the previously mentioned methods. For example, private key can be stored in a token known as a smart card. Password generating tokens provide an effective defense against password guessing because the token generates a new password at specified intervals or provides a unique password in response to a challenge message sent by the bank (Sklira et al, 2003).
Biometrics method makes use of the unique biological straits of individuals such as voice, fingerprints, face geometry or retina. Banks can use biometrics methods to deploy either single factor or multi-factor authentication process. An example is the use of retina scan in ATM machine as a complementary step to the two-factor authentication of PIN and smart card to authenticate customers. Biometrics method is costly and therefore should be carefully considered by management based on the level of security required.
Management today is facing with many challenges when dealing with electronic banking, even when a secure system has already been in place. In this section, two strategic areas will be discussed, including Risk Management and Return on Investment.
Besides traditional bank risk management practice, managers are encouraged to develop risk management specifically for electronic channels. Risk management in electronic banking should cover all the categories of risks mentioned in the first section of this part of the report. Obviously, any initiatives in managing risks should not be separate from the daily operations of the bank. They should be an integrated part of all aspects such as human resources, regulation, planning and operating.
Much discussion of how advanced technologies should be employed to secure the whole electronic banking system could not deny the fact that "the ultimate threat to computer security is the insider". To address internal breaches, pre-employment processing should be implemented vigilantly for all employees and completely before their first day at work. In outsourcing cases, either of hiring process or for operational purposes, management need to make sure that the vendors follows the same pre-employment process for their personnel.
Training should be an ongoing process for bank personnel (A.K. Pennathur, 2001). Banks should document all the risks related to electronic banking as well as the risk-tolerance and how they are monitoring them. More importantly, those documents should be studied and ms
Incident Response and Contingency Planning
Return on Investment
Return on investment has always been the biggest concern for management and electronic banking is not an exception. One of the key areas of concern facing managers who are involved in the future development of electronic banking is the strategy towards online banking and e-commerce. Most of the time, management is not only worrying about the increased risk and regulatory burdens but also struggling with the logistics of electronic banking, the costs of upgrading, and the fact that there is no real revenue stream from this activities. (A.K. Pennathur, 2001). It is all about what is the appropriate method and technology to employ.
Cost and Security
Security measures are needed to address security risks and the associated costs. However, they themselves also impose some cost and here lies the challenge to the management.
The ultimate strategy
The ultimate strategy the report suggesting wholeheartedly to the management of the field is to approach electronic banking as only one of many delivery channels of banking services. Electronic banking, integrated with other channels creates the 'hybrid marketing systems' which ultimately increases market coverage because multiple channels provide access to multiple segments. To successfully manage the electronic banking system in consideration with well integrate the hybrid marketing systems means to exploit the electronic channel without making it overlap with other channels, avoiding competition between channels for the same customer. Ultimately, It's the service provided that will decide the profitability, not the channel through which they are delivered. (A.K. Pennathur, 2001).
- Anita K.Pennathur (2001) "Clicks and Bricks" -Risk Management for banks in the age of the Internet, Department of Economics and Finance, College of Administrator and Business, Louisiana Tech University, P.0. Box 10318, Ruston, LA 71272, USA.
- Joris Claessens, Valentin Dem, Danny De Cock, Bart Preneel and Joos Vandewalle (2002) On the Security of Today's Online Electronic Banking systems, Computer Security and Industrial Cryptography (COSIC), Dept. of Electrical Engineering - ESAT, Belgium. Computer and Security, Elsevier Science, Great Britain.
- M. Sklira, A.S. Pomportsisa, M.S. Obaidat (2003) A Framework for the design of bank communication systems, Elsevier Computer Communications 26, 1775-1781.
- Basel Committee (1998) Report, Basel Committee on Banking Supervision, Bank for International Settlements
- Basel Committee (2001) Risk Management Principles for Electronic Banking, Basel Committee on Banking Supervision, Bank for International Settlements
- Kjell J. Hole, VebjØrn Moen, and Thomas TjØstheim (2006), Online Banking Security - A case study in Norway, IEEE Security and Privacy, IEEE Computer Society
- Chesher M., Kaura R. & Linton P. (2003), Electronic Business & Commerce, London, Springer
- Elizabeth Daniel, Christ Storey (1997), On-line Banking: Strategic and Management Challenges, Long Range Planning, Vol. 30, No. 6, pp. 890 to 898, 1997, Elsevier Science Ltd, Great Britain.