e-finance
e-finance log in to the future!
v.c. joshi
Response Books
A division of Sage Publications New Delhi/Thou...
71 downloads
1533 Views
674KB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
e-finance
e-finance log in to the future!
v.c. joshi
Response Books
A division of Sage Publications New Delhi/Thousand Oaks/London
Copyright © V.C. Joshi, 2004 All rights reserved. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording or by any information storage or retrieval system, without permission in writing from the publisher. First published in 2004 by
Response Books A division of Sage Publications India Pvt Ltd B–42, Panchsheel Enclave New Delhi – 110 017 Sage Publications Inc 2455 Teller Road Thousand Oaks California 91320
Sage Publications Ltd 1 Oliver’s Yard 55 City Road London EC1Y 1SP
Published by Tejeshwar Singh for Response Books, typeset in 10.5 pt. Book Antiqua by InoSoft Systems and printed at Chaman Enterprises, New Delhi. Library of Congress Cataloging-in-Publication Data Joshi, Vasant C., 1932– E-finance : log in to the future! / V.C. Joshi. p. cm. Includes bibliographical references and index. 1. Financial services industry—India—Computer networks. 2. Internet banking—India. I. Title: E-finance. II. Title. HG187.14J68
332.1′0285′4678—dc22
ISBN: 0–7619–3261–5 (US-PB)
2004
2004010819
81–7829–395–1 (India-PB)
Production Team: Leela Gupta, R.A.M. Brown and Santosh Rawat
contents list of tables list of figures preface 1. Whither E-Finance? difficulties in transition the organizational response recent trends in Internet penetration return on IT investment
viii ix x 1
2. Developments in India internet usage in India internet for underdeveloped countries micro level considerations
15
3. Which Way Should We Take? the changing economic rationale arrangements for implementation the on-line value chain
30
4. E-Finance Products and Services e-money e-trading e-procurement
44
5. E-Trading changing roles global developments impact on market architecture trading in foreign exchange trading in fixed income securities
54
6. E-Banking what led to e-banking? choosing the ASP bank websites stand-alone e-banking planning and development products and services retail banking
68
7. Marketing marketing for intangibles integrating marketing with business planning marketing objectives review of strategies
93
8. Risk Management analysis of risk risk assessment potential threats
109
9. Insurance and E-Banking BIS recommendations the insurance sector alternate trading systems
124
10. Cyber Crimes types of crimes why do they happen? problems of enforcement
132
11. Network Security losses due to breaches types of security failures control devices managerial checklists
139
12. Cyber Law in E-Commerce and E-Finance the incidence of cyber laws parity with digital documents problems of acceptance in courts the Indian IT Act, 2000
167
vi contents
13. Regulatory Issues regulating alternate trading systems regulating insurance companies regulating banks BIS recommendations references index about the author
184
201 208 220
vii contents
list of tables 1.1 E-finance Penetration in 1999 6 4.1 New Ways of Paying On-line 47 6.1 Internet and Non-internet Banks—A Dynamic Analysis 73 6.2 Internet and Non-internet Banks—Selected Balance Sheet Ratios (a) Loan Comp. (b) Funding 74 10.1 Cyber Crimes and Their Effect 135
list of figures 7.1 Marketing Plan in Corporate Plans 7.2 Supplier Reach 8.1 Analysis of Risk
98 102 110
preface
T
he last five years have witnessed radical departures in the way the financial services industry operates and delivers its products. The changes are not restricted to a few developed countries but are almost all-pervasive. India is no exception to this general tendency. The pace of change may be slow, but the sign-posts are clear. Many banks and financial institutions have made their intentions publicly known. Banks such as HDFC, ICICI and some foreign banks like Citibank and ABN Amro, have already made some of these services available to their customers. It is now almost impossible for other institutions to ignore the competitive pressures and have no choice but to adapt to the changed circumstances. However, the change implies much more than acquiring new technology or adding some equipment. It means adopting a new way of doing business and going along paths hitherto unknown. It would also imply a fundamental rethinking about the investments to be made, the products and services to be offered, the marketing of these products, the management of security aspects and the risk profile, etc. Obviously, such changes cannot be brought about without detailed planning and thorough commitment at all levels. During seminars or various training sessions and meetings of staff unions/associations, it was noticed that such blue prints were conspicuous by their absence. They were at the drawing board level or were only available to a few at the top. This book is in a sense, a need answered as many
employees are totally unaware of the magnitude of changes that are in store for them. It begins by looking at the environmental factors favouring such a change and examines the feasibility of profitable implementation of such changes. The focus of the entire discussion is on a single entity, say a bank or a broking house wishing to implement such a change. Particular attention is paid to an organization’s financial strength as shown in its financial statements. The Indian scene is examined in some detail to see if the external factors are conducive to such developments, like the returns on these investments. The recent controversies on the subject are critically examined. Organizations have various options, from having an information website to a fully private secure channel for some of its customers, etc. The steps to be taken and the organizational arrangements that need to be in place are also considered. Equally important are the choices relating to products and, some suggestions are made about possible developments. Ebroking, e-banking and related activities are examined in some depth. A very critical element that pertains to the marketing of intangible products and a number of steps that an organization could take in this regard are also proposed. A major cause of concern is the ‘Risk Aspect’. Similarly, the security of the network, computer crimes and laws relating to IT are covered, with the emphasis on deciding the systemic changes needed to effectively deal with the changed legal setup. The regulatory framework is in a state of evolution and attempts made by BIS, the insurance regulators, the Securities and Exchange Board of India (SEBI) and the Securities and Exchange Commission in the US are dealt with. This is not intended as a do-it-yourself handbook. We have endeavoured to cover theoretical aspects wherever the need for such an examination was thought essential. An author without organizational support has necessarily to depend on a vast number of people to help him with a diverse set of requirements, which arise when preparing such xi preface
a book. We have drawn on various sources and only limitations of space make it impossible to acknowledge them individually. An omission does in no way indicate the importance attached to the respective article, book, or paper. Our grateful thanks are due to all these authors. The number of persons who gave their valuable time is far too large for a complete enumeration. We would be failing in our duty if we did not mention the names of at least some, who bore a major brunt of our unceasing demands. Achala Deshpande painstakingly collected source material and sent it in a form readily accessible on our somewhat outdated PC. Dr Shrirang Godbole went out of his way to collect material through painstaking searches over the Internet. I must particularly mention Sameer Deshpande’s invaluable aid in typing and organizing the material. The National Institute of Bank Management (NIBM) library and the members of the staff working there have been ever willing to take out copies, look for old issues of journals etc., and I have no hesitation in saying that the book would not have taken this form had it not been for their help. I am deeply grateful to Vinay Joshi for his relentless questioning, criticism, suggestions and also thorough and steady supply of the latest reference material. My heartfelt thanks to Satish Marathe, Chairman, United Western Bank, and Dilip Patwardhan, Executive Director, United Western Bank, both of whom readily provided material, reports, etc., and also patiently answered questions. My editors at Response Books are embodiments of patience and perseverance. Their nagging persistence led not only to improvements in presentation but also resulted in certain fundamental rearrangements. I am profoundly thankful to them. Finally, a word of thanks to my wife for her constant support and encouragement to complete this book. I have nothing but gratitude for her. V.C. Joshi xii preface
one
whither e-finance?
T
he financial services industry in India has undergone a transformation since the process of liberalization and deregulation initiated during 1991–1992. Initially, as the Narsimham Committee highlighted in its report, only the ‘mandated’ changes were implemented. However, the last three years have witnessed major systemic changes that are being initiated in an aggressive manner by quite a few financial institutions such as HDFC and ICICI. The reasons for such changes are not far to seek. The competitive pressures exerted by such banks using e-banking as an additional distribution channel, the market perception about some banks not being technically savvy and its impact on their share prices and the changing customer profile (particularly the high networth segment), could be cited as some of the important reasons for bringing about a marked change in their approach.
Difficulties in Transition However, the transition is not likely to be smooth and could lead to significant losses if undertaken in a hasty, haphazard manner. The change represents adopting a new way of life and would necessitate rethinking a whole range of policy issues, like the future of branches, and marketing of services. Some of these issues are highlighted in the chapters that follow. The choices before the management of an organization are indeed difficult. Decisions on whether or not to go in for an 1 whither e-finance?
additional delivery channel will affect the organization’s future working significantly. Before undertaking a thorough examination of the issues involved, it is necessary to note some general characteristics of organizational responses to the major (some would say epoch-making) changes referred to earlier, and with this background in view deal with the other issues.
The Organizational Response Large organizations are very often reluctant to make radical departures from the road traversed successfully. Departments, which are major contributors to profits in such organizationing are not prepared even to contemplate developments which appear to be risky as they are afraid that the new technology could end up cannibalizing their markets and destroying their divisions. One sometimes wonders if large organizations are good at fully developing and commercializing technologies. The issues have moved from the narrowly technical, into fundamental questions of how to organize one’s markets and bring about the other required changes, such as developing customer loyalties, new marketing strategies, new investments and introduction of new products. The policy risks are high. Perhaps this factor, rather than any other, accounts for the Asian Banking Survey (2000) result on financial institutions’ preparedness to meet new challenges. According to the Survey: We asked analysts and harassed half a dozen bankers . . . Whom they would consider a veritable 24-carat e-banking savvy CEO? We were referring to a CEO who could articulate an integrated electronic banking strategy, has taken decisions in that direction, and demonstrated an ability to lead his or her bank into ebanking. We could not even get five names. The responses, sometimes slow and deliberate, sometimes drawing a complete blank, was telling, of how few CEOs are ready to lead their 2 e-finance
organizations into the e-banking arena. The answers given by some of the respondents are revealing and in fact, force one to undertake a thorough analysis before recommending a course of action. Anderson Consulting answered—‘None really jumps out’; ABN Amro: ‘We cannot think of anyone’.
The survey has, no doubt, led to some very interesting causal connections being inferred. The failure of dot.com companies during the years 1999–2001 had created an impression that the bubble had not only burst, but that it was more or less the end of electronic and Internet activities. The fact that a large number of successful organizations embraced the change and implemented it successfully had been ignored for quite a while. Against such a background, one needs to build a very strong case favouring the changeover to Internet finance. There are strongly held views against the changeover and organizations need to be convinced that such a changeover is crucial. Equally important is the fact that new markets are hard to imagine and harder even to assess quantitatively. Established customers and suppliers shape companies’ assumptions about how their industry will unfold. There is a danger that financial institutions may become locked into a set of arrangements that preclude them from grasping the advantages of innovation. Going a step further, it could be said that the more effectively a company is tied into its network, the more likely it is to sustain a course of innovation that maintains its market position. Firms are reluctant to undertake radical innovation. Large and established firms are not good at generating disruptive technologies. They are often blindsided by technological breakthroughs that alter their existing markets, existing procedures and systems of work. They prefer to play chess, rather than poker! Even then, translating these aspirations into concrete plans is going to be an extremely difficult task. The arguments thus far are too general and specific questions impinging on the problems relating to e-finance need to be dealt with. Thus, a survey of the developments in the world of e-finance are carried out and an analysis made of the 3 whither e-finance?
objections normally raised for and against going ahead with such changes. There is as yet, no commonly accepted definition of efinance. After a scrutiny of available sources, it appears that the Organisation for Economic Cooperation and Development (OECD) definition comes closest to what is thought of as an appropriate definition: An Electronic Finance transaction is a financial transaction that depends on the internet or a similar network to which households or non-financial enterprises have access. A trade in electronic finance is the part of an electronic finance transaction that relates to the exchange of remunerated financial services.
Recent Trends in Internet Penetration On-line transactions have gained acceptance as a conduit for financial transactions, though the channel is not even a decade old. In the B2B segments, growth in e-finance has been explosive. Companies increasingly use Internet-based systems to cover the entire range of their financial needs—from bill payments to asset management and even for insurance products, such as employee benefits. Small companies with two or three employees also depend on these channels for online transactions, and in fact, the number of clients has doubled since the 1990s to current levels of 40–50 million in 2002. A word of caution at this stage is necessary. Data in respect of Internet transactions is not yet authentic. The gaps are significant and extrapolated results need to be taken with a pinch of salt. However, the possibilities of growth in this area are enormous due to the fact that: New providers are emerging within and across countries. They include on-line brokers and aggregators (companies which allow consumers to compare financial services). Non–financial entities have entered the market. Utility and telecommunication companies are now providers of payment services. 4 e-finance
Vertically integrated financial services companies are growing rapidly and creating synergies by combining brand name distribution networks and financial service products. Trading systems are becoming global. Risk management is being addressed through continuous mark-to-market (valuation of your investments on a daily basis by referring to market rates obtained at a given moment) and collateral arrangements. For most financial services, economies of scale and scope are unlikely to be sufficient barriers for entry. According to a World Bank study in 2000: E-finance has great potential to improve the quality and scope of financial services and expand opportunities for covering trading risks and can widen access to financial services for a much greater set of retail and commercial clients by offering more cost effective services.
At this stage, it is also necessary to look at the developments in the field of mobile telephones. Globally, there are two distinct trends. In the US, the PC- based connectivity model is the one widely prevalent, while in Japan there is greater importance given to mobile phones and hand-held devices. India is also witnessing a tremendous surge in the use of mobile phones and in response to this phenomenon, some banks have begun to offer on-line/broking services in New Delhi and will soon offer them in other cities. The growth in usage of mobile phones and its impact on users and service providers is examined in greater detail in chapter three. Thus, it appears that the additional access facilities have increased greater usage of the Internet. Some factual information regarding Internet penetration is given below in Table 1.1, which shows the global developments in e-finance. The difficulties in extrapolating have been referred to earlier in this chapter. Further, having an e-banking account does not automatically imply using it to the fullest extent. Nor 5 whither e-finance?
Table 1.1: E-finance Penetration (end 1999)
Income Group/ Economy
Industrial country average Australia Belgium Denmark Finland France Germany Italy Japan The Netherlands Norway Portugal Spain Sweden United Kingdom United States Emerging market average Argentina Brazil China Czech Republic Hong Kong China Hungary India Korea Rep. of Mexico Poland Singapore Thailand Average for all economies
On-line Banking (Customers as Percentage of Bank Customers)
On-line Brokerage (Transaction as Percentage of Brokerage Transaction)
8.5
28
434
8.2
4 4 6 20 2 12 1 15 8 2 2 31 6 6 4.9
22 20 38 18 32 16 32 40 25 7 8 55 26 56 27
10 1192 110 1 73 7 1898 1059 589 251 418 3 35 27
8.1 8.2 8.4 8.2 8.2 8.3 7.7 7.4 8.8 8 7.6 8 8.3 8.8 8.7 7
3 5 1 5 6 11 13 3 1 5 1 6.9
6 3 90 1 2 65 41 10 28
1 351 1 2 332 1 317
7.2 6.4 5.9 7 8.5 7.1 6 7.3 6.8 7.2 8.6 7.3 7.5
6 e-finance
E-Money Business (No. of EnvironMerchant ment Terminals Ranking per 2000 100,000 2004 People)
are the figures overwhelmingly supportive of a particular course of action and the arguments need to be examined in some depth. The growth during the years 2000–2002 has been fairly slow. Young adults aged between 15–34 use the Internet more frequently while senior citizens are reluctant to use new technology. The projections, while optimistic, suggest that worldwide Internet usage may hit the billion mark in three years (Nua.com-Dublin). In May 2002, the Global Internet Trends report showed that a total of 580.78 million people were connected to the web as of May 2002. This means that Internet penetration worldwide was almost 10 per cent. Internet usage in the Asia-Pacific region has also risen dramatically in the last few years and now claims 167.86 million people with access to the web. In fact, many financial institutions and others engaged in the field of e-commerce consider that over a period of time it would offer immense opportunities for business on line. The figures by themselves do not necessarily mean that all these users will be potential clients of financial institutions. However, before they can even think of a relationship it will be necessary for them to have access to the Internet. It is quite likely that e-finance activities will grow and it is clear that there is a potential untapped demand. However, are these activities economically viable? Finance executives must examine the economics of the business carefully before entering into it.
Return on IT Investment There is a growing awareness that all IT expenditure does not automatically qualify for being described as a sound investment. Returns on such investments and consequent improvements in productivity are being questioned. This chapter examines these arguments in some detail, as these areas have not been given enough attention. Worldwide, billions of dollars are spent in support of IT requirements. However, many of 7 whither e-finance?
these firms have little to show after so much money is spent. An unacceptable fact is that a large percentage of the resources expended on IT by financial institutions seem to disappear into a veritable black hole. A review of US government expenditure on software shows the extent of such misutilization—48 per cent of the software projects are paid for but never fructify. Of those delivered, 30 per cent are never used, while 20 per cent are abandoned. Only two per cent are ever used. Firms that fall too far behind in the IT race stand to lose much more than their competitive advantage. The demise of many distinguished investment banks could be attributed to the trade-processing systems that are not up to the mark. It can be emphatically said that there is no substitute for active senior management support and involvement for IT investments to be beneficial. But questions far more serious than mere implementation aspects have been raised. The Financial Times in its IT review section (FT 4 June 2003) suggests that ‘information technology systems have lost their way and may have failed to deliver what they promised to business. In the use of technology to transform business something has gone wrong’. At some point during the 1990s, while IT innovation began to flower, something appears to have gone wrong. The following reasons are cited as the likely sources for the problem: The new computing technology (or architecture) liberated users from the tyranny of the mainframe, but exposed them to the failure of technology management. The new client/server architecture brought new control to the individual user in the shape of a desktop PC. It also transferred the power to IT managers who ensured that the departmental level applications were developed to run the processes vital for Internet activity. However, these managers tended to lose sight of the bigger picture. The new Internet technology did not survive in isolation. IT had to fit into a complex system and adapting to earlier 8 e-finance
generation computers became a major problem. Corporates that relied on proprietary architecture rejected these aspects. Components developed rapidly but lacked critical elements. This problem stems from the incompleteness of technology. While individual applications have proliferated, the tools needed to knit them together have been lacking. Technology did not align itself with business management—technology vendors blame the management and management blames the vendors. The fact is that there is a high rate of IT project failure. Low utilization of IT assets is another symptom of that malady. Its capacity utilization is barely 50 per cent. Finally one could refer to the high cost of maintenance of corporate information systems. ‘The proportion of IT budgets in just keeping the lights on and the business running is far too high’. (FT, 2003). However, these are not insurmountable problems. The development of integrated systems and build-up of industry standards are possible solutions. In this context, Nicholas Carr, of HBR, has raised a fundamental issue relating to IT— is IT an infrastructure technology? He further notes that five per cent of the capital expenditure of US companies was initially made on IT. In the 1980s, it rose to 15 per cent and by 1990, it had risen to 30 per cent. India is also witnessing the same trend. A number of Indian banks, have announced plans to spend billions of rupees on IT in the next few years. Carr further adds that there is a general belief that its potency and strategic value has increased. He however, questions these assumptions and makes the following observations in support of his argument that IT has all the hallmarks of an infrastructure technology. According to him, it is first of all a transport mechanism and is more valuable when shared than when used in isolation. He further adds: 9 whither e-finance?
What gives the resource a basis for sustained competitive advantage is its scarcity and not its ubiquity. Proprietary technologies may afford advantages in the short term. But infrastructure technologies afford advantages only when they are shared such as telephones, roads, etc.. Perception of market changes is of value up to a point. It is thus obvious that a very critical assessment is necessary before a decision is taken to make such an investment. However, underinvestment in technology can also be shortsighted. Further, it must be kept in mind that these are essentially tools for thought. Organizations will have to make their own strategic decisions. In these matters, the smart deployment of funds (where and when to invest) and the timing alone would ensure a sustainable, differential advantage. Financial Institutions have to decide if they should be leaders or followers who wait till the costs come down. These are thorny questions and would need to be carefully analyzed. Productivity gains mainly come from managerial innovation. Fundamental changes in the way companies do business can be brought about through technology deployment along with improved processes and capabilities. These alone would account for productivity gains and innovations. In most group discussions on the subject, there is generally a reference to the failure of dot com companies in the year 2000 and thereafter. The fact that the Chief Executive Officers (CEOs) of such companies made huge profits personally while their companies became bankrupt, lends a certain moral indignation to the tenor of the discussion. The failure of these companies could be attributed to a number of factors. The principal one was the exaggerated claims made by them. For example, in the case of stand-alone e-banks, it was suggested that the negligible transaction costs of these banks would force traditional branch banking out of business and that we would have banking, but not banks and 10 e-finance
their branches. With this end in view, huge amounts were spent on advertising and the basic rudiments of commercial banking were cast aside. The rates charged to the borrowers were less than the ones paid to their deposit customers. The reduced costs could not compensate for such losses, thus the resulting failure was a foregone conclusion. There is another aspect which is perhaps more significant. Obviously, organizations with an established customer base and a network of branches could not let go their advantages so easily. So, they developed their own e-finance channels and what came to be known as a brick-click operation came into vogue and found great acceptance with the customers. Further, many organizations experienced intense customer pressure for building such channels and had no choice but to opt for it. They were thus forced to ignore its viability. There is another angle to this development. The idea that a dot com venture meant high hopes and aspirations but had no substantial business plan or model, has been given a lie. A number of established companies have now developed these channels and are using them very successfully. It must also be mentioned that a number of stand-alone banks have also weathered the difficult period and have emerged successfully in the long term. Thus it is clear that the failure of these early ventures has not halted these activities, rather, increasingly they are being successfully used by financial services industry and other commercial enterprises. When considering the technology aspects, one can ask how pervasive would the Internet be? Is it a mere sectoral application, or would it affect every aspect of our life? The issues are no doubt controversial. Recent articles in the HBR seem to suggest that the developments are not universally encompassing, but have only a limited application. The views expressed at the Berkley Roundtable are encouraging. Given below is a summarized version of the views propounded during the Roundtable. Allen Greenspan, Chairman, Federal Reserve, sees in the present development(s), ‘a deep seated 11 whither e-finance?
(and) still developing shift in our economic landscape “caused by” an unexpected leap in technology’. The new emerging economy is variously described as ‘innovative economy’, ‘knowledge economy’ or, ‘a new weightless economy’. The terminology made familiar by the Berkley Roundtable may also be termed as ‘e-conomy’. The e-conomy is a structural shift, bringing transformations and creating disruption. Today we may be in an era where the whole economy and the social structure resting on it are undergoing a change and where the driving force is unmistakeably IT. IT amplifies brainpower in ways analogous to that in which the nineteenth century Industrial Revolution’s technology of steam engines, metallurgy and giant power tools multiplied muscle power. IT builds tools to manipulate, organize, transmit and store information in digital form. Far more important is the way it changes the way we think. IT builds the most all-purpose tools ever—tools for thought. The capabilities created to process and distribute digital data multiply the scale and speed with which thought processes and information can be applied. The connectivity and computing power have resulted in the e–conomy revolution emerging faster and is more widely diffused than previous ones. However, at this point it is difficult to estimate the full magnitude of the changes set in motion. The certainty is that it is widely pervasive and will continue to pervade more and more economic activities. Organizations must take a hard look at their own strengths and the steps taken by their competitors to see what best they can do to meet the challenges posed by the technology developments. The next chapter takes a look at the Indian scene, both from a macro and also from a micro point of view, to see how best the financial institutions should respond to the challenges ahead. In conclusion, it may be reiterated that e-finance is not merely an offshoot or fifth delivery channel, but will trans12 e-finance
form the entire working of organizations as never before. The developments during the last few years bear ample testimony to this. Appendix 1 graphically presents the details regarding the developments in e-banking and e-broking. In the B2B market segments, the advent of open network architectures and a sharp reduction in costs have made computerized transactions between financial institutions and clients, which were previously the preserve of a few large companies, available to the whole enterprise sector. Surveys show that almost three-quarters of enterprises purchase financial services on-line. Similarly, in the B2C segment, the growth is explosive. It is quite clear that financial institutions that choose to ignore these developments are doing so at their own risk.
13 whither e-finance?
appendix 1
what does the future hold? Overseas Systems
Payment Systems
Broking Houses
Financial Companies
Banker
Exchange
Insurance Companies
Tim Net TVP STP
Regulatory Bodies
14 e-finance
Housing Finance Companies
Law Firms
two
developments in India
T
here are two crucial questions that need to be asked while introducing Internet technology into an organization. They are:
1. Is the external environment conducive to the launch? and 2. Can it be sustained over a period of time supported in turn by the organization’s balance sheet? This chapter deals with general issues like Internet penetration, the growth of mobile phones, and the supporting legal framework in India. It also considers the micro aspects relating to organizational needs, customer pressure, offensive and defensive strategies and the financial strength of organizations.
Internet Usage in India The examination of global issues does highlight the question of Internet penetration, though it would no longer be the sole determinant. There is not much information about the prevalence and use of the Internet. Given below are some of the details available, collected through source material available on the Internet. Who Uses the Internet in India? There are 300 million users worldwide today with nearly 150,000 users added every day. Internet penetration in Asia is presently 15 developments in India
driven by business, unlike in USA, where individuals drive it. The total Internet home connections here in India are close to 1.6 million, though it is estimated that the total number of users is nearly 4.8 million (Aug 2000—Nasscom). Data available with Nasscom, IMRB, Edelweiss Capital and CLSA reveal that Indian Internet users chiefly found in the age group of 19–34, of which 80% are male. It is estimated that the Internet user spends an average of 10 hours per week, usually earns over Rs 6,000/- per month, and is most likely to use the Internet for sending and receiving e-mail. Less than 5% buy anything on the Internet, the advertising spend per user being estimated at Rs 140/- and transaction per use: approximately Rs 500/-. A RightServe analysis of IRS 2000 reveals interesting facets of the Internet user in India. The top 10 cities contribute to 60% of the total Internet penetration in India, with Bombay at 18%, followed by Delhi and Madras with 11% and 10% respectively. Ahmedabad Nagpur Coimbatore Pune Calcutta Hyderabad Bangalore Madras Delhi Bombay 0
24 25 25
60 76 78 139
201 234 361
50
100
150
200
250
300
350
400
Note: Figs in 000s Source: IRS 2000.
Time Spent on the Internet vis à vis Print & TV According to IRS 2000 the average time spent on the Internet versus other media is as follows:
Internet Press TV
Saturday
Sunday
Weekdays
1.08 1.13 2.39
0.39 1.24 3.07
1.29 1.13 2.21
16 e-finance
Place of Access
Other
11
Schools/college
32
Friends/ Neighbours Office
20 35
Home
8 0
10
20
30
40
Note: Figs in % Source: IRS 2000.
What do users do on the Internet? A majority of today’s consumers i.e. those with disposable income, fall in the age group of 25+ and 52% of them are Entertainment
26
Hobby/contests
15
Downloading s/w & games
24
Work related info
47
Product info
15
Business news
41
Chat
36
E-mail
89
Job hunting
20
Political news
13
Sports news
21 0
20
40
Note: Figs in % Source: IRS 2000.
17 developments in India
60
80
100
exposed to the Internet.Their reasons for logging on to the Internet range from e-mail to getting updates on business news, product information, political and sports news. E-mail by itself accounts for 89%. Over 35% accessed the Internet from the work place, 32% from place of study and 8% from home. What must be kept in mind is that a person who is checking his mail is not only restricted to checking his mail. These people can be reached very easily as they have multiple points of access that are largely from work place and home. Traditionally, there were only two media vying for the consumer’s time—T.V & Print. Today, the Internet has also come in and the pie is now divided between the three media, and the Internet is fast catching up. Internet Exposure by Age Internet exposure by age shows that 75% of all adults, who accessed the Internet are in the age group of 15–34 years.
35
31
30
26
25 18
20 15 10 5 0
12 6
4 12-14 15-19 yrs yrs
3
20-24 25-34 35-44 45-54 55+ yrs yrs yrs yrs yrs
Note: Figs in % Source: IRS 2000.
Internet Exposure by SEC Net exposure by SEC shows that at least 79% of all adults who accessed the Internet are in SEC A and B. 18 e-finance
60
53
50 40 30
26 15
20 10
4
0
A Note: Figs in % Source: IRS 2000.
B
C
1 D
E
Nasscom Survey 20022003 The survey clearly shows the growth potential of the Internet. Internet penetration in India has also become more widespread with bandwidth becoming readily available, reduction in Internet tariffs and cheaper computer hardware. Some of the key licensed Internet service providers in India are: VSNL—3,44,000 Satyam—1,29,000 DTS—96,000 MTNL—21,000 Dissent—70,000 Bharati—63,000 The subscriber base in India has grown more than 14 times since 1995. A significant aspect of this development is that the total volume of e-commerce transactions in India amounted to about Rs 1.31 billion out of which 9 per cent was business to consumer (B2C) transactions. There has also been a tremendous upsurge in the use of mobile phones in India. Information now available suggests that mobile phone sales have outstripped the sale of PCs. India 19 developments in India
could also be headed towards the Japan model where people rely more on handheld devices, or Personal Digital Assistants (PDAs). In fact, there is greater demand today amongst users for PDAs with built in mobile phones, Internet connectivity and cameras. The last three years have witnessed some significant developments in the field of technology usage. The growth in the number of Automated Teller Machines (ATMs), moneytransfers or complex core banking solutions are now possible with the click of a mouse. ICICI, UTI and other foreign banks are forging ahead and improving their technology edge. Some others are on the verge of ushering in e-banking/insurance business. The difficulties encountered earlier on account of trade union objections are also being cleared. The State Bank of India (SBI) has entered into an agreement with its officers’ association. In accordance with the understanding, the ‘Bank is now free to do computerization and mechanization with latest technology in an unrestricted manner’. Thus, the computerization/mechanization of all activities at all branches, offices, or administrative units using the latest technology can be undertaken. Size, location, or volume of work will also not be a bar for such activities. At the industry level, large technology innovations have been launched. INFINET, a closed user group-wide area network for financial sector participants has proved stable and is the back-bone for initiatives like the Real-time Gross Settlement System. Several schemes for electronic clearing are also in place. The increasing trend of shared networks is quite a significant development. Switch [IBA-run company] may be closing down, but Euronet with CITI, Stanchart, IDBI, and UTI bank as members, is forging ahead. These banks expect to have at least 2,500 ATMs catering to 8–10 banks by the end of March, 2004. Internet banking, tele-banking, and mobile services are becoming major drivers. The Internet today gives the ability to undertake the most complex transactions from anywhere. These channels are no longer the preserve of the elite foreign or private banks. Even urban cooperative banks are considering these channels with the aim of moving ahead. 20 e-finance
These emerging trends are reflected in the bulging size of IT budgets. SBI’s technology budget has been increased from Rs 5 billion to around 7 billion. The Bank of Baroda has a budget for technology in the region of Rs 3 billion. The Bank of India has publicly stated in an interview appearing in The Economic Times, that they would explore e-banking once connectivity amongst branches is established. Technology does not seem to be an option—it is now considered a necessity. However, it must be added that technology solutions do not come cheap. Substantial expenses by way of one-time investments as well as substantial additional recurring expenditure will be required. At this stage reference to core banking solutions can be made, which are being largely accepted by banks. ‘Core banking solutions’ is a centralized banking platform, which creates an environment where the entire bank’s operations are controlled and run from a centralized hub. The core system is basically an end-to-end product suite for consumers, corporate, investment and Internet banking. Customer information is centralized and ‘anytime, anywhere’ banking is possible. The customer is thus no longer restricted to a branch. In this scenario, geography and physical location could become redundant. Most banks in India today appear to be moving towards the installation of core banking solutions. This of course, does not lead one to conclude that the Internet solutions will follow immediately.
Internet for Underdeveloped Countries A wider question that is often raised, pertains to the possibility of the use of Internet technology in underdeveloped countries. E-finance has great potential to improve the quality and scope of financial services and to expand opportunities for trading risks. It can widen the access to financial services for a much larger set of retail and commercial clients, by offering more cost-effective delivery of services. Africa Online and Bangladesh Gramin Bank experiences are pointers in this 21 developments in India
direction. It is also an obvious fact that the ability of these countries to adopt the new Internet technologies would depend on their telecommunication infrastructure. The low efficiency and quality of financial services and the skewed profile of users favour migration toward efinance. On-line brokerage is a case in point. E-finance allows a much easier access to global capital and financial service providers. Before coming to organization-specific questions, enabling factors are first dealt with, as these play an important part in the Indian context. India is amongst the few countries, which have taken significant steps in creating the required enabling environment. The following factors are those that would make the transition to e-finance easier: Regulatory framework for telecommunications, Security framework and public key infrastructure, Framework for information and privacy, Framework for contract enforcement, Financial system laws, Market infrastructure. The World Bank (2000) has suggested a system of ‘weights’ for some of these areas, and the important ones are given below: Enabling Services and their Importance Regulatory framework for telecommunications Security framework and public key infrastructure Framework for information and privacy Contract enforcement Market infrastructure 22 e-finance
Very important Very important Very important Very important Somewhat important
Consumer protection Investor protection Competition policy
Very important Very important Very important
Telecommunication regulation is a key area for e-finance. Non-fixed lines are offering important possibilities in developing countries including Africa, China and Cambodia. What is required is an improvement in postal and telegraph administration, proper pricing, regulations, etc. Suffice it to say that these factors, which would otherwise have hindered developments, have in fact propelled changes. Instead of relying on benchmark figures like Internet connectivity, it is better to look at the totality and decide on the possibilities. Another aspect which often causes concern relates to the rural/urban divide. It is true that the spread of these facilities is currently restricted to urban centres. However, that does not mean that the rural segment should not be taken into consideration. PC sales in rural areas are a pointer in this direction. Further, the efforts made by state governments to spread computer literacy in rural areas are also generating encouraging results. At the same time, there is no need for financial institutions to be mere passive observers and wait for the developments to take place. They can actively promote the switch to these channels.
Micro Level Considerations We now look at the problems from the point of view of a particular financial institution. The environmental changes may be propitious and would warrant a serious consideration of the desirability of such a development. However, it does not automatically follow that the organization must immediately take the plunge. Any organization that plans to explore this area needs to answer some or all of the questions listed below: The distinctive features of e-commerce and associated operational risks. 23 developments in India
The strategic orientation of the organization and the part played by e-commerce. The impact on the organization’s image. Target for the channel and the need for new product development. The impact on traditional channels. These questions are no doubt very important, but the financial aspects also need to be very carefully scrutinized. The first question that the top management should ask would relate to the organizations own financial strength to support such a changeover. A hard look at the balance sheet would be the first step. Some of the areas that need to be considered are indicated below. Some results obtained after analyzing the balance sheets of some banks are given in Appendix 2 at the end of this chapter. The analysis lays stress on certain key ratios enumerated below: Non interest incomegross profit, Non interest expenses/gross profit, Operating expenses/total income, Fixed assets expenses/gross profit, Gross NPAs/total advances, Net profit/equity. The ratios chosen clearly bring out the areas where the financial institution could expect an advantage in the switchover. These would be critical determinants. However, there may be other equally important factors that impinge on the decision. Institutional decisions are equally dependent on strategic factors and these need to be taken into consideration as well. Those concerned with strategic decisions are aware that such new service offerings are made for a range of business reasons. Thus, such services are launched for reasons which cannot be described as purely impacting the bottom line. They may be launched to complement existing products, to use company resources more fully, to broaden or to improve the company image or even to diversify and to grow into new markets. Amongst the reasons adduced for introduction of 24 e-finance
such services, reasons are given ranging from protection of profitability of other products, providing a platform for future new product services by opening new markets, or even changing the company’s image. The ‘strategic rationale’ as to why an organization should launch e-banking was both offensive and defensive in nature. Given below are some aspects of strategic rationale: To protect and enhance the organization’s reputation for innovation. Added value for customers. Means for attracting new customers. Actions taken by competitors. Potential to develop customized services. While it is clear that building a reputation for innovation may make it easier for a company to introduce new products/ services in the future, consumers tend to accept new products from proven innovators. ICICI and HDFC banks are offering not only e-finance facilities through PC-based networks, but also mobile connectivity. In fact, these banks are regarded as technically savvy and even the capital market puts them a few notches above the rest. E-banking undoubtedly offers added value to customers via added functionality and accessibility. Accessibility and interaction with the service provider are key elements of service offerings. For example, the size of the ICICI ATM network distinguishes it from its competitors. The use of multiple distribution channels can increase effective market coverage by targeting different segments and attracting new customers. On-line broking is one such example. Many new offerings have the tendency of being copies of services offered by competitors. These are defensive launches to try and ensure retaining customers. Many organizations claim to be fast followers rather than prime movers. However, organizations also tend to add one or two different features, which enable them to stress the product’s uniqueness. 25 developments in India
It is recognized that electronic delivery will have a lower cost per transaction than more traditional distribution channels. A recent study estimates that the unit transaction cost for a non cash payment is UK pounds sterling 1.08 for a branch, 54p for a telephone bank, 26p for a PC bank and just 13p for an Internet bank. According to the World Bank, Using credit scoring and other data mining techniques, providers can create and tailor products without much human impact and at very low cost. They can also better stratify their customers base and allow consumers to build their preferences on line. This not only permits the personalization of information and services, it also allows much more personalized pricing of services, and a much more effective identification of credit risks.
The aim of electronic delivery was expressed as ‘personalization and push’. In addition to the above, organizations would also need to consider specific demand and supply factors. Direct household surveys indicate that prospective clients are motivated by three sets of demand factors: Security of the actual transaction and of information submitted to the vendor and ultimately even the vendor’s safety. Absolute and relative price signals, motivating the purchase of e-finance services. Perceived convenience for the client (creation of value). Financial institution’s incentives to offer services via the Internet are similar to an offer of products through any of the channels. The basic inducements are as under: Gaining and retaining clients through an array of attractive services. A survey of customers having savings bank accounts in an established bank’s main branch showed that most of their clients were between 45–50 years and above. The potentially high net worth, technically savvy had nothing to entice them to open accounts with this bank. 26 e-finance
Using the channel to cut costs. Most banks do not have exact costs for transaction processes worked out. Service charges are levied on an ad hoc basis. After a brief costing carried out on certain services, it was found that charges for cash payments were in the range of Rs 15–18 per transaction. This situation arose because no recruitment was undertaken during the last 12–15 years and the average clerical salary has risen; this is reflected in the transaction costs. It is firmly believed that a major advantage would accrue to the ‘treasury department’ of an organization. The department would be integrated with the global markets and give the dealers, controllers and top management a unique oversight in managing the treasury. Studies, done by the comptroller of currency in the US, show that costs of e-finance transactions border on being described as negligible. A single payment transaction at a branch could be US $ 1.25. The same transaction put through electronically could be barely 2–3 cents. The calculation of costs of ATM transactions based on the full cost principle clearly bears out these results. It would lead either to the closure of branches, or branches turned into high cost service centres with a thrust on advisory functions. Finally, an important aspect to be kept in mind refers to technical compatibility and the organization’s preparedness to deal with massive changes. Those banks and financial institutions that decide to offer these services now would not have any first mover advantage. ICICI Bank, HDFC Bank, Citibank, ABN Amro, and HSBC are the pioneers in these areas, and offer a range of services. The new entrants, however, are not going to find the transition smooth. The chairmen and top management teams at these organizations must have a clear vision and be ready to undertake this massive transformation. An e-finance changeover is not a mere addition of a distribution channel. It is a different way of doing things. 27 developments in India
appendix 2
analysis of financial statements for deciding on entry to e-business Vijaya Bank Non Interest Income Gross Profit Accounting efficiency Non Interest Expenses Gross Profit Accounting Non-efficiency Operating expenses Total Income % E x p e n se s/ r e v e n u e Fixed Assets Expenses Gross Profit Deposits/Assets Deposits/Total Assets % Gross NPA Total Advances Credit Quality % Net Profit Equity Return on Equity
Andhra Bank
South Indian Bank
31.03.02
31.03.01
31.03.02
31.03.01
31.03.02
31.03.01
188.83 252.5 74.78% 421.63 252.5 166% 421.63 1727.33 24.41 165.52 252.5 65% 14680.5 16144.5 90.93 602.69 6196.66 9.72 130.9 663.02 19.74
156.26 178.48 88% 438.13 178.48 245% 438.13 1512.44 28.97 150.02 178.48 84% 12632.24 14256.6 88.61 549.92 5720.01 10 70.73 599.44 11.8
304.02 425.38 71% 453.98 425.38 106% 453.98 2333.85 19.45 108.53 425.38 25.51% 18490.76 20937.24 88.32 524.92 9677.72 5.41 202.27 883.84 22.89
204.62 248.72 82% 456.38 248.72 183% 456.38 2079.68 21.94 94.46 248.72 37.98% 18291.52 20389.41 89.71 470.1 7423.17 6.33 121.19 756.4 16.02
138.53 172.9 80% 120.91 172.9 70% 120.91 754.01 16.04 44.41 172.9 25.69% 5919.7 6555.01 90.31 335.94 3231.04 10.39 62.41 274.6 22.73
72.52 107.05 67% 115.03 107.05 107% 115.03 612.93 18.77 35.99 107.05 33.62% 4668.55 5216.2 89.5 257.04 2468.36 10.41 41.5 218.52 18.99 (Contd.)
Appendix 2 Contd United Western Bank
Bank of India
Bank of Baroda
Canara Bank
31.03.02
31.03.01
31.03.02
31.03.01
31.03.02
31.03.01
31.03.02
31.03.01
125.59 153.44 67% 100.44 153.44 65% 100.44 644.99 15.57 108.2 153.44 70.52 4491.03 5134.46 87.47 389.08 2657.68 14.63 25.76 228.97 11.25
43.42 50.73 85% 105.12 50.73 207% 105.12 519 20.25 108.56 50.73 214 5221.22 5738.8 90.98 339.58 2740.06 12.39 15.58 207.69 7.5
1103.27 1412.05 78% 1530.89 1412.05 108% 1530.89 6711.95 22.81 704.67 1412.05 49.9 59710.6 69805.86 85.54 3722 38310.78 9.71 508.83 2845.05 17.88
861.91 772 111% 1743.73 772 225% 1743.73 6178.72 28.22 763.15 772 98.85 51678.81 59566.56 86.76 3434 32173.14 10.67 251.88 2685.5 9.38
993.16 1309.25 76% 1563.35 1309.25 119% 1563.35 6948.71 22.5 692.38 1309.25 52.88 61804.46 70910.07 87.16 4489.3 33662.98 13.33 545.92 3827.76 14.26
706.27 1036.47 68% 1607.59 1036.47 155% 1607.59 6463.62 24.87 647.06 1036.47 62.43 54070.44 63322.03 85.39 4185.72 27420.68 15.26 274.66 3356.27 8.18
1428.553 1656.24 86% 1592.6 1656.24 96% 1592.6 7799.09 20.42 659.01 1656.24 39.79 64030 72211.38 88.67 2112.44 33126.7 6.37 741.4 3471.49 21.36
917.78 1131.23 81% 1669.57 1131.23 148% 1669.57 6536.05 25.54 649.65 1131.23 57.43 59069.52 66520.64 88.8 1288.39 27831.77 4.63 285.1 2814.45 10.13
three
which way should we take?
D
evelopments in the field of e-finance have been broadly reviewed and questions relating to entry into efinance have also been broadly considered. Some organizations in India have taken initial, though perhaps hesitant, steps towards building competencies in this area. A thorough analysis of an organization’s financials, strategic factors and its vision about the future need to be critically analyzed before a decision is taken to enter into the e-finance arena. Additionally, the changing economic rationale underlying these decisions would also need to be critically evaluated.
The Changing Economic Rationale The post Industrial Revolution economy rested on two basic assumptions: value came from scarcity (diamonds, gold, or even college degrees); and things become devalued when they are plentiful. Carpets had value when they were hand-woven. They lost it when machines could make them in thousands. The network economy literally flips these premises upside down. Value is derived from plentitude. Shrinking marginal costs overwhelm scarcity. The growth of the Internet economy exhibits what could be described as a classic template of exponential growth. 30 e-finance
Biologists often find these in biological systems. In the network economy we are witnessing biological growth where success becomes non-linear. There is always a tipping point in business, during which growth and innovation must be taken seriously. Thereafter, success feeds on itself. In the network economy such tipping points are depressed because of low fixed costs, insignificant marginal costs and rapid distribution. Detecting events before they occur is essential and would be a key to success. The principal law is the law of increasing returns: • In the industrial economy value increases in a linear manner, while in the network economy, it is exponential. • Economies of scale are rewards for efforts put in by a given unit to outpace competition. Networked increasing returns are created and shared by the entire network. The value of gains resides in the greater web of relationships. A very curious aspect of the network economy is the relation between quality and price. Slight improvements in quality were reflected in slight increases in prices. In the new economy, price and quality curves diverge so much that some things that are better, tend to become cheaper, for example, as computer chips and computers become faster and sleeker, they become cheaper. At this rate, prices will settle down near the bottom, but quality at the top would be open-ended. The best gets cheaper and opens a space a round it for something that is new, but expensive. Valuable products could thus be given away freely such as web browsers and standard e-mail programmes. Once the product worth and indispensability are established, the company sells auxiliary services or upgrades. Giving away free products leads to mind-share and through it to market-share. 31 which way should we take?
The allegiance is not to a product. It is to a given network. As networks permeate our world, the economy has come to resemble an ecology of organisms inter-linked and coevolving constantly in a flux and becoming deeply entangled. Companies come and go; careers are patchworks of vocations; industries are groupings of fluctuating firms; the network economy moves from change to churn. The sustained vitality of a network requires the Internet to provoke itself out of balance. A settled harmonious system would lead to stagnation. Constant innovation would mean perpetual disruption. Finally, where do we go? The task for each of us is to discover how to do the job in a better way. In the network economy, where machines carry out the tasks, the challenge for each worker is not how to do the job right, but to ascertain the right job to do. We should be looking for opportunities. It must be reiterated here that an organization should critically evaluate all these factors to sustain its interest in the long run. During discussions with bankers and others, it has been noticed that even those organizations which have their own websites are uncertain about the way they should proceed. Therefore, the analysis of the options available, begins right from the stage of developing a website. Before proceeding further, a word of caution—It is customary to herald one’s entry/or even a proposed entry into the market by saying that the organization would offer anytime, anywhere, banking and other services. This may be good advertisement copy, but would hardly be a suitable goal for an organization about to launch its activities. Television advertisements can be misleading. These advertisements often conjure pictures of yuppies talking to their US brokers from Trafalgar Square and disturbing the pigeons by their joyous shouts! New York/Tokyo offices can be accessed even from the middle of the Sahara Desert. Although this is certainly possible, one has to be equally concerned with bread and 32 e-finance
butter activities and their implementation. A lot of misconceptions prevail and it is necessary to consider the elements of the process. The current phase of developments indicates that the way ahead would be for established organizations (banks, brokerage houses, etc., with branch networks) to offer these services. It could be pointed out that some stand-alone banks have weathered the storms and are now firmly entrenched. The generally prevalent pattern is what is now called the ‘brick and click model’. Predominant e-finance business models involve multi-channel distribution. Most on-line vendors are entrenched financial conglomerates who use the Internet as a channel for marketing and distributing their financial products. Most of the competition for on-line client acquisition focuses on the layout functionality and facilities offered by a financial institute’s Web presence. From a client’s perspective, one could divide the on-line interface into six categories: 1. 2. 3. 4.
Company-specific websites, Directories and information portals, Vertical integrators, Point of sale sites: product marketing through various theme-based web-pagers, 5. Value added portals: websites empowering consumers beyond mere listing and linking, 6. Aggregator portals: price and quality comparison across a number of service providers. A frequently used classification of services offered is by having recourse to delivery channels such as: Access devices: These devices include personal computers, PDAs, televisions equipped with Internet access or mobile phones and other wireless communication devices. Portals could supplement these. Portals: Portals are becoming the critical link between access devices and financial service companies. Portals offer 33 which way should we take?
access to a range of financial service providers, often for free or a fixed price, but generate revenues from fees paid by providers referred through the portals. These include portals designed by specialized financial service companies, as well as general portals like AOL and Yahoo. Aggregators complement portals, allowing consumers to compare mortgage, insurance or other lending products offered by finance companies. Enabling companies support existing financial service providers as well as specialized financial service providers, and virtual banks specialized software. In the sections that follow the range of choices that financial institutes have and the care they need to take in implementing these decisions are examined. The choice ranges from having a website to bank services via mobile phones.
Arrangements for Implementation Before discussing the specifics, the organizational arrangements that need to be in place must be dealt with. Banks and financial institutions need to create their own centralized agency to coordinate various activities. An individual must be identified to oversee a company’s e-commerce initiatives and place them in a strategic framework. After all, this individual will have to grapple with the uncertainties, struggle to launch projects and push for organizational change. These veterans personify the challenges which are faced by institutions embracing the Internet. There can be two distinct institutional arrangements. The first is the creation of what has been described as ‘e-commerce Czars’, who are to lead the e-commerce transformation. The job would provide both exciting opportunities and a host of challenges. Such individuals must be given a carte blanche to revolutionize this operation. Their job is to see that the company remains at the forefront of change and to make and implement conscious decisions about taking advantages of new opportunities. 34 e-finance
Such an appointment would send a clear signal that the organization is serious about the e-initiative. However, experience suggests that to come across such an individual who is flexible and imaginative, adaptable to shifting currents and who understands the present and is able to visualize the future, is hard to come by. Further, there is no need to centralize all such decisions into a single authority. Very often, the problems are pushed under the carpet and would surface at a point when it would harm the organization’s interests. Internal politics and rivalries are intense and could at times be daunting. Thus, this individual would end up as a prime target for criticism. An ‘Internet council or committee’, which would report to the CEO, would thus be a better alternative. It is necessary to have a holistic view about the digital future and then help the departments to fit into the picture. The first thing the committee should do is to prioritize the projects. They must necessarily adopt a consultative approach and should consistently focus on efficiency, expense, and impact on revenues. They must, in charting out the future, be ready to tackle psychological and cultural issues. They would also have to face grilling from well-ensconced executives and deal with tactical opposition. Unfortunately, there are no rules etched in stone for such situations. The organization must see which method(s) would suit it better and arrive at a solution. At the same time the Board and the CEO must be involved to ensure that turf wars and vested departmental interests do not impede the progress. The second issue would relate to the technology to be installed, whether it is: an interface with the existing set-up; new technology to be PC-based or mobile, designing/redesigning of websites or the range of products to be offered. Decisions may be based on customer surveys, the organizational set-up (Czars or committees) for implementation and finally, the questions relating to the form of the new system (stand-alone subsidiary or within the organization itself). These questions will not be resolved easily and it would 35 which way should we take?
perhaps take 2–3 years to set-up such a system. Competitive pressures may, however, force organizations to launch services and in that case they should be prepared either to be ‘followers’ with some differentiation or accept failures (fail early and often!). Before going into details regarding designs etc. we would briefly present the Internet Value chain.
The On-line Value Chain The on-line value chain is a useful way to think of the important roles that will exist in the delivery of on-line services to customers. The banks and financial institutions are ‘manufacturers’ of market products and process information (content). The delivery is through a network. The customer accesses it through various devices like PCs, PDAS, mobile telephones and television sets. The organization would need to decide which access device would be suitable for a given activity. Filling in a loan application would necessarily have to be a PC-based activity, as using the television for such work would not be possible. However, care must be taken to see the users’ preference in accessing through a particular device. This section briefly discusses the problems associated with some of the aspects concerning entry into e-finance. The most obvious is the establishment of a website. Very often, banks design and build a website, but discover that it is not of much use. In such cases, it is quite possible that much thought has not gone into building the website. At one level, the problem to be resolved is whether access should be through PCs or mobile phones. The second problem relates to the information to be presented. In an article in Bank Marketing, launching a website is compared to dressing for an Academy Awards presentation ‘function’. A financial institution must make its presence felt. After all, the web would be the vehicle for building loyalty and business. 36 e-finance
The Internet is unlike any other form of communication. Therefore, unlike a pamphlet or an advertisement, the Internet is an interactive medium that is rapidly evolving. Those with Internet addresses need to constantly maintain and upgrade their sites, as technology and customer habits change. The following is an attempt to understand a few areas which would help financial institutions and others in designing new websites or those seeking to improve an existing set. The web must reflect an organization’s strategic choice, no matter who may be the intended audience. It must also clearly reflect what the organization is trying to achieve, for example, selling new products to existing customers, attracting new customers from other markets or providing information to existing stock holders. These objectives should be specific and documented. The web is an information site and not meant for entertainment. The site must thus satisfy highly directed visitors in search of specific information. The graphical mode of presentation is a great advantage. Further, even video clips can be shown. However, it must be remembered that frequent visitors to websites get tired of waiting to see the same pictures or listening to the same tunes. Never create an entry page that takes longer than 15 seconds to download. Otherwise the customer will lose interest and leave the site. Avoid any features that may cause the browser to crash, freeze or show error messages. If possible, design pages to target customer segments. The provision of an investment calculator could be a great help and should normally draw visitors back to the site. Add links to other websites. There must be an incentive(s) to visit the site frequently. Easy navigation is extremely important. The organization must also keep in mind that every customer does not have access to a high speed, dedicated link. 37 which way should we take?
A website experience however, may not complement interactive digital TV, PDAs or mobile phones. A survey conducted by Microsoft for Barclays and Nat West banks has found that the content has to be compelling in order to get the user to visit the site. Thus, designs for PC and TV viewing have to be different. In the case of televisions, there is a physical distance, while for mobile phones, it is a different cup of tea altogether as the small size of the screen necessitates offering altogether different solutions! It is now increasingly realized that financial institutions must not jump on to the bandwagon blindly. They must consider the limitations and issues that surround such a strategy. However, there is an extremely cautionary advice that must be offered in concluding this section on web design and its use. If using the Internet is to be successful, there has to be an operational efficiency behind it to fulfill the promises which have been made to the clients; otherwise an institution’s reputation can be at risk. The one stop portal (an outbound website gateway that links to other sites and/or presents information gathered from other sites) is now a reality. Such portals developed because it was necessary to have a single website where customers could handle all their financial requirements. What was missing, however, was the ability to aggregate information and perform transactions that involve a customer’s accounts at rival institutions. The concept of designing a home page that might have broader utility for the user than mere transaction processing and information delivery has merit. At this stage, it might be useful to clearly define the terms used. ‘Aggregation’ refers to gathering information from multiple websites and delivering it to a customer’s account at a single website. ‘Consolidation’ refers to gathering information about a customer’s several accounts at the same website and presenting it to the consumer as an integrated statement. The really useful portals are part search engine, part tool kit, calculator and part information market place. These portals provide: (a) an easy way to research products; (b) facilities to 38 e-finance
send and receive e-mail; (c) easy access to receive information and stock prices; and (d) model scenarios for a wide range of decisions. The best example of an aggregator is the ‘Lending Tree’ which could best be described as a ‘market place for lenders’. There is no doubt some truth in saying that these portals are useful for pre-transaction decision making, rather than for forming an ongoing relationship. Another type of aggregator (account aggregator) places more emphasis on ongoing relationship building. These portals offer information, but very little by way of assessment. Many financial institutions are therefore providing tools for assessment. These tools can and do help customers to have a better asset allocation. There is also a tendency to have links with associated activities like broking, etc. There have been many apprehensions expressed about the technology to be used for introducing such features, which is a distinctly low-tech application and goes by the name of ‘screen scraping’. It enables an aggregator to go to any financial site, with the customer’s prior consent (not the service provider’s). The aggregator makes the server think that it is the customer’s routine request. The system, of course, needs a lot of maintenance. The security aspects of such transactions are discussed in a later chapter. There are however, serious challenges ahead. It is being gradually realized that the Internet is not a stand-alone business proposition, but must be a part of a larger delivery capability. Integrating Internet channel information, customer knowledge and transaction information with those at the branch, call centre and ATM is a critical issue. The portal concept must be thought of within the context of a larger multi-channel delivery capability. The branch or call centre must have much more detailed information so that genuinely customer-centred information can be provided. Currently, web services ought to be used to enhance internal efforts to integrate applications together in a product or process value chain. 39 which way should we take?
E-banking and on-line trading are discussed in some detail in chapters five and six. Some common difficulties experienced at the implementation stage are mentioned here. A major problem relates to cost escalations. These could be overwhelming unless care is taken before taking further steps. An example here is the professional fee for consultants. It is not always necessary that the vendor engineers are the most proficient ones. In fact, most of the vendors send only the second or third line of consultants/engineers for implementation projects. This means that while the vendor consultants are refining their skills on their product, you either end up paying more fees or you become their training ground. Besides, the professional service effort is always an estimated effort; you can not bind the vendor once the work agreement is signed. In situations where the system integration has to be done between two different systems, such as in the case of Internet banking or treasury systems, which have to be connected to the core banking system using an Application Programming Interface (API), the risk of cost escalation on this account greatly increases. The only solution appears to be to provide for a fixed charge for professional services. Most probably the product will have been selected through a quotation process from a number of vendors. A fixed charge for the professional services can be insisted upon, without which the quotations have no meaning. Another alternative is to have a man-days budget with a variation cap incorporated in the contract. The decision-making process in most of the banks is such, that in spite of the budget having been approved for the project, for every decision—whether it is for a business requirement specification or for an item of expenditure—days and sometimes weeks are lost because they have to approach the same sanctioning authority, hence the delay. In today’s atmosphere where vigilance is a bugbear most bankers are scared of, matters are referred to the original sanctioning authority, which in these cases is the Board. The way these Boards (for that matter, any Board functions), cost escalations 40 e-finance
are not viewed very favourably. This will throw any project plan and manpower budget out of gear and a vendor, who has calculated and committed the price quotation on a reasonably tight budget, will incur heavy losses. Hence, in the event a fixed manpower budget is agreed to in the contract, a foolproof decision making and expenditure sanction machinery must be put in place for the project. Built in escalations/ contingency provisions ranging from 10–20 per cent are not affective solutions. The recommending department’s actions in allowing such cost escalations would be viewed with suspicion. It is better to sit across the table with vendors and try to identify areas where there could be delays and escalations and budget accordingly for them. The background notes should highlight these. The essence here, is that unless a way is found to control the professional service charge for a project, the entire financial estimates of the project is at risk of being unsound. At the same time if the vendor commits a fixed professional service charge and this is not supported by an efficient decisionmaking system for the project, the vendor will have no option but to abandon the project mid-way. Both the conditions have equally unpleasant consequences for an organization. These are regarded as unforeseen costs, some of which one would normally fail to see at the beginning while preparing the budget. Given below are some of the more obvious expenditure items that are left out at the time of initial budgeting. Individually, these appear to be small. Together however, they become a substantial part of the total cost. Hardware and software for back-up system and test system, Firewall system—hardware, OS, software, Firewall for back-up system, Encryption mechanism, Web server certificates, Leased line and back-up connection costs, Security policy design, validation and auditing cost, 41 which way should we take?
Disaster Recovery Centre (DRC) costs, Risk management and contingency plan, Costs of hiring/buying computers for project implementation and User Acceptance Testing (UAT), Costs involved in hiring consultant(s) for techno-legal planning, Process change management, Setting up a new data centre or expanding the existing one, Leased line and encryption of data between data centre and DRC, New support resources and their training, Telephone bills, transport and hotel charges for consultants, Additional costs due to people working late, working on holidays and weekends. The technology arena is a harsh unforgiving environment, where the expected end result is very high and mistakes are considered worse than bad loans. For any bank/financial institution wishing to implement its own in-house system, the main consideration should be regarding the availability of people. Experienced, dedicated workers who work for 10 hours a day and are not risk averse, are a prime necessity. Deciding the right cost for the project is the next task. Generalizations based on comparisons with other banks can be totally misleading. There are specific measures and techniques to determine the appropriateness of technology in a given institution. The normal procedure would be to compare it with the workload. In case of anticipated activities, certain conjectural thumb rules have to be used. The two major advantages of having work done in-house are control and costs. In today’s competitive environment it is essential to have both these aspects properly taken care of. The banks/financial institutions would thus have dedicated support, which no outsourcing agency can match. Further, the system can take care of certain overload without much extra 42 e-finance
costs. In fact, stable systems can last even for five or seven years, and since the depreciation on these items is probably complete in three to four years, and the system availability is ultimately free. Customization may be possible if the banks/ financial institutions were to approach the vendors right from the start. Outsourcing however, does have its advantages. Expertize is readily available and cost-effective. Almost 20 per cent of the costs are incurred on welfare and statutory benefits for the institution’s own staff and can be saved. An effective outsourcing company may deliver products as operational solutions. Banks can also take advantage of the research work carried out by their vendors. The possibility of the outsourcing company and the bank becoming partners after working closely cannot also be ruled out. Staff turnover at senior levels would create substantial problems for a bank, but not for an outsourcing firm. The merits and demerits of such options are infinite. The final decision however, would always be a result of diverse factors being balanced, complex matters examined in-depth and road blocks identified, so that the transition is smooth.
43 which way should we take?
four
e-finance products and services
T
his chapter begins with a review of the forces that have been responsible for shaping the financial services landscape. The primary thrust has been exerted by competition, both within the fraternity of financial service providers and those somewhat outside the pale. This has led to a continuous downward pressure on margins as banks and financial institutions are vying with each other for good advances. The era of asset-led growth forces banks/financial institutions into cut-throat competition for the small cake available. The first result has been a reduction of spreads. The World Bank (2000) estimates that such margins could come down significantly during the next few years. This trend is universal. The developments in technology and the growing importance of the Internet in commercial transactions has led to a reduction in the commissions charged. The broking commission is a case in point. Commission revenues are expected to come down by a factor of two. Underwriting payments services, asset management services, personal financial advice, etc., would be made available at much lower costs. The response to these challenges could be and is varied. Initially, measures like downsizing (for example, the voluntary retirement schemes in India), consolidation for capital adequacy and cost reductions across the board were quite 44 e-finance
common. However, these measures could not stem the downward slide. At the same time, customer pressure for speedier means to execute transactions was growing. A society on the go cannot afford the luxury of leisurely banking. A new generation of technically savvy customers is now demanding ‘anywhere, anytime’ banking. Financial institutions had to respond by offering services on the Internet. They also had much to gain because transaction costs could and did come down substantially. A cash payment at the branch would cost somewhere around Rs 18–20, while the same payment through the Internet would cost a few paise. Banks/financial institutions have realized that successful strategies are built around the customer. The World Bank report quite rightly suggests that with data mining techniques, it would be possible for banks and others to tailor schemes for individuals and charge them interest rates appropriately. Initially, it was felt that stand-alone E-banking institutions would overtake brick and mortar banks and that the latter would wither away. This was more a conceptual fantasy and the ‘brick/click’ model has come to stay. The emergence of such a model has led to certain patterns of development. It is quite a huge challenge to get behind virtual customers, their wants and help them to understand emerging desires; to move from delivering products/services to aiding in the understanding of their self. The institutions have three options. They can develop Internet banking capabilities that support the current product, service and channel mix. This is normally referred to as the ‘traditional migrator’ approach. It has the advantage of reinforcing the banks’ long established brand and allowing them to proceed with a single market personality while actually using multiple delivery channels. The second approach described as ‘Continual Evolver,’ would be for the banks to reinvent themselves and focus primarily on extending reach on the Internet channel and deepening relationships by meeting customer needs. This would 45 e-finance products and services
help them in clarifying confusing offerings, streamlining disparate marketing messages and committing to an ongoing culture of change. The final or ‘Clean Slate’ approach is to create a new brand disconnected from its established identity. The benefits include the ability to use a low cost base and virtual distribution to achieve new customer acquisition and deliver broad customer choice. Banks/financial institutions must find ways to make their history work for them—for example when a bank facilitated those customers, who had accounts with them for over 75 years. For many years Indian banks worked in an environment where only the service provided enabled them to differentiate themselves from the rest. This same strategy (customer service, reliability, and trust) must be used to retain fickle customers. It is not advisable in India to close branches merely because they are high cost centres. During the time when staff is trained to take over more responsible tasks as advisors/marketers, the costs incurred will have to be subsidized by low cost Internet operations. It is also a fact that security concerns deter many customers from using on-line channels. These customers form the backbone of business and cannot be ignored or brushed aside. Financial institutions and banks must try and sell their Internet customers different products which could generate fee incomes. It is also a fact that customers need assurance through human contacts. This is particularly true during periods of stress. Hearing the captain speak on the public address system is more reassuring than a taped message when the plane passes through a stormy patch. It is worth noting that traditional financial institutions are extremely adept at retrieving information from old records and thus can deal with customer complaints much more easily. With the help of technology, it will be possible for these institutions to handle such matters in minutes. This strength needs to be built upon, particularly for customer relationship building. The products and services that will be and are being offered are reviewed next. The acquisition of clients and the 46 e-finance
use of services will also depend on the layout, functionality and facilities offered by the institution. We begin with a description of what could be described as electronic money or stored value products.
E-money There is a new Internet currency that can be collected on line and spent at various merchant sites on the web. Although there is sceptism regarding the usage of these devices, they are being used increasingly by universities, transit systems, etc. Given below in Table 4.1 are details regarding new online payment systems. Table 4.1: New Ways of Paying On line A guide to a new generation of on-line payment systems Company Cyber Gold
E-charge Ipin Millicent
Merchant/Content Partner Earn and spend programmes Click on ads and spend in network Advance payment with on-line bank account Charges digital content to ISP bill Digital wallets with Millicent scrip inside
Animation Factory, Axis 3d ZDNet, CD world
E-music, AT&T music, Virgin Radio, BBC Asahi.com, Oxford University Press, etc.
Source: Journal of Lending and Credit Risk Management, December 19992000.
Smart cards and e-purses are also exciting new options and with these we enter a generation of new on-line payment systems. Smart cards are embedded with a computer chip and transact data between users. They can be loaded with the desired value and used to buy a product. The amount is transferred to the seller’s smart card through a reader. However, in India, smart cards have not been very popular. It was believed that smart cards would become safer and 47 e-finance products and services
easier solutions to the problems of handling cash, the nonavailability of loose change and the risks of theft. However, these difficulties have not been translated into substantial business. Another variant is the ‘debit card’. These are plastic cards connected with electro-magnetic identification and are used for payment at specified point-of-sale terminals.
Financial Services The major users of the Internet are corporate customers. Companies increasingly use Internet-based systems to cover their entire range of financial needs, from managing bank accounts and bill payments to asset management and even to insurance products. In the B2C segment, the services offered include balance confirmation, transfer of balances from one account to another. Bill payment services are also becoming increasingly common. ICICI Bank now allows customers to pay municipal taxes on the Internet. It is pertinent to note that in other countries, the competition from non-financial institutions such as Yahoo or Microsoft is quite aggressive and India could witness similar developments. The area of ‘credit’ has also seen some rapid developments. In many cases, application processing is available on-line, but complete fulfillment is not. Small and medium-sized industries can draw trade credits and other sources of verifiable finance. Housing finance is one area where functions ranging from loan application appraising, valuation of houses, to completion of loan documents are all carried out over the Internet. The Internet also provides information on financing and other options to a wide spectrum of potential house owners. We would like to refer to two mortgage finance providers. Advantage mortgage began as a mortgage broker. Over a period of time, it has become an overall aggregator like lending tree. com. whose major source of revenue is derived from 15 lenders. Advantage solicits borrowers, evaluates mortgage loan packages for presentation to borrowers, 48 e-finance
prepares all the documentation required for the loan and sends the complete loan package to the lenders. The borrowers also do not pay any fee for this service because the lenders pay them for it.
Factoring and Leasing E-finance helps in lowering the costs and increases the availability and ease of transferring the information. The ease of delivery and substantial reduction of costs are factors responsible for the widespread use in this paper-intense activity. This development has increased lender and client opportunities for factoring, which is the sale of accounts receivables and leasing which are loans colateralized by assets. Electronic transmission allows for real-time information exchange between parties, increased security, immediate credit decisions and lower transaction costs. A development in India which has not attracted much attention is the development of Internet platforms to trade and pledge electronic warehouse receipts. This may reduce the need for government to purchase commodities for stockpiling. Letters of Credit, Bills of Lading and other documents associated with trade funds are also gradually being taken over under the e-finance umbrella. Bolero.net is a joint society for Worldwide Interbank Financial Telecommunications amongst commercial banks, freight forwarders, and shippers. It could certainly help in automating the trade finance process. These services would be used to transmit letters of credit, bills of entry and other documents. The difficulties arising from the legal and commercial practices are being ironed out and care is being taken to ensure that the transaction is smooth. There are two successful examples of Differential Interest Rate (DIR) type of advances transacted on the Internet. South Africa’s Standard Bank has bundled services required by the poor—a viable activity for the bank. The second case is that of Gramin Bank in Bangladesh. The bank sells pay phones to 49 e-finance products and services
its borrowers and these are made available to all the villagers. A number of women have turned cow-rearing or grocery activities into profitable ventures. Action International is using hand-held computers to cut costs and time to sanction loans. Entering the data takes about 25 minutes and processing takes about one hour. The new micro loan-processing software designed for palm-pilots allows loan officers to record client data, take applications and make loans on the spot. Pla Net Finance is the first international organization to refinance micro-finance institutions. In fact, Pla Net hopes to help micro finance institutions through all stages of their development.
E-trading E-trading systems provide some or all of the following services: electronic order routing, automated trade execution, and post trade information. On-line trading systems can be divided into various categories according to: The trade Model Used; The ownership structure of the system; Sources of prices for securities; Customers; and Coverage.
E-trading in Equity Markets The trading models in equity markets can be divided into two categories. Order driven systems combine all ‘bid and ask’ orders into one central order book and automatically match the orders without intermediaries. The other is direct access trading, where the investor places an order on-line and the brokerage firm routes it directly to a market maker and obtains a commission from him/her for what is known as ‘payment for order flows.’
50 e-finance
E-procurement This refers to an offshoot of falling margins. Financial institutions that are focused on e-procurement for corporate supplies could leverage their role as payment facilitators. Thus, the entire process of purchases becomes streamlined and savings are affected—ABN Amro, Bank of America, Citi and Chase Manhattan are some of the leading participants in this process. Increasingly, corporate clients (particularly those rated highly by rating agencies) are no longer dependent on banks for their credit requirements. The issuance of commercial paper, suppliers’ credit and recourse to global capital markets, have led to banks and financial institutions pursuing corporate clients for a slice of their assets. It is, therefore, not surprising that most banks are focusing their attention on small and medium-sized enterprises. The State Bank of India and ICICI Bank, for example, have all set aside large sums for this sector. The whole procedure, from the origination of the application to sanction and loan disbursement, is extremely dilatory. This is where the Internet could be harnessed to speed up the process. Credit rating/and or scoring tools is available with many banks and these are used at the time of considering consumer loan applications. The same could be extended to the small and medium sector and delays avoided. Further, many such units use computer-based accounting packages and banks could offer advice to these customers in areas like receivables and cash management. A novel proposal here envisages building a ‘virtual’ market for their products. All the banks together can provide a market place for their small and medium clients by acting as a clearing house for products manufactured by their clients. For example, such an exercise was undertaken for a bank at the state level. A directory of products manufactured by the bank’s clients was published which turned out to be extremely useful. A survey is currently being undertaken by the author with the help of a bank to ascertain the requirements of small and medium clients, which would lead to the introduc51 e-finance products and services
tion of Internet facilities. Purely from a lender’s point of view, it would afford a degree of control never before thought possible or feasible. It would assist the industry and the banks in building a unique partnership and in a creating a healthy appreciation of each other’s problems. Another segment which is somewhat neglected is that of senior citizens. Banks, particularly cooperative banks, could assist senior citizens by introducing them to the use of Internet facilities. Through the use of mobile telephones and a courier service run by the bank, income generating services could be provided, though cash withdrawals and deposits may not be possible. In countries as diverse as the Republic of Korea, Mexico and the Philippines, insurance products are being increasingly offered to clients both electronically and through intermediaries. In India, Insurance Regulatory Development Authority (IRDA) has not yet accorded its approval to the issuance of policies on the Internet, as the digital signature certification mechanism is not in place. There is also a certain degree of reluctance on the part of customers to buy insurance on the Internet. However, it is increasingly clear that financial services firms have now to hasten the pace of change. They must realize that they do not have much waiting time and would encounter a number of threats to existing competitive positions. The need of the hour is ‘information freedom’. It is about transforming island processes into extended ones. It is about integrating the complete chain of events that information available anywhere must be made available across the entire network. Organizations must learn to take advantage of information available with them. With a bit of slogan-mongering one could assert ‘integrate or perish’. The following general observations in respect of product development have been made by some overseas bankers with the author: The old axiom ‘build it and they will come’, is a model that does not work on line. 52 e-finance
A full range of products including brokerage and financial planning tools, a trusted brand name, a multifunctional but easy to navigate website and responsive customer service, is a must. There is a constant need for adding functionality and new products. Customers should be able to do more things on line than they do at a branch. There is an acute need to unbundle financial products, so that a person who does not want face-to-face relationship can get whatever help/advice he requires on line. Bad service really ticks off on-line customers. Customer service is an offensive weapon in the marketing artillery of any web-based company. In conclusion, it could be said that to gauge the future we would have to think ‘both/and’. The future is digital—it is also analog. Those who talk of a paperless office should remember that paper is an amazingly efficient and cost-effective display medium. The wrong question is how to get rid of paper. The right question is what should be on paper versus a digital document. Thus, while strides have been taken, the progress could hardly be described as significant. The services offered are useful and product offerings meet the requirements of a large body of customers. But we are still at the water-testing stage. The potential of a very powerful medium remains to be fully utilized. Customers want options. They want familiar as well as the latest technology. Banks/financial institutes of various sizes would be able to get the technology they need if they keep in mind that—if you are small, do what the big guys cannot do; if you are big do what the little guys cannot do. ‘It is easier to ride a horse in the direction it is going’.
53 e-finance products and services
five
e-trading
T
he term e-trading encompasses a wide variety of systems, ranging from simple order transmission services, to full-fledged trade execution facilities. E-trading is defined here in a somewhat broader context. It is a facility that provides some or all of the following services: Electronic order routing, from users to the system. Automated trade execution, translating orders into trade. Electronic dissemination of bid/offer quotes and depth. Post trade information (transaction price and volume data).
It is necessary to cover in this definition even those systems, which do not include trade execution facilities. The purpose here, is not to examine a system but to look at e-trading in general and its impact. It would be useful to point out that electronic systems differ from traditional markets in several respects .The application of computer technology automates aspects of the trading process and changes the relationship amongst dealers and also with their customers. The effect, however, is not to build a better telephone but to create a new way of trading, different from either floor-based or telephone trading. The point could best be illustrated by highlighting the differences (particularly those that are noteworthy): E-trading is location neutral. It allows multilateral interaction, on a continuous basis. 54 e-finance
E-trading is scalable—electronic systems can be scaled up to handle more trade simply by increasing the capacity of the computer network. In traditional markets, the size of the floor has to be physically expanded or the number and capacity of the intermediaries has to be increased. The scalability can enhance the reach of the dealers through a greater access to a widening base. Operational costs under the ET system can be reduced because economies of scale can be exploited. ET is integrated. It allows straight-through processing by integrating different parts of the trading system.
Changing Roles When securities/share trading are discussed, one visualizes exchanges, brokers, and sub-brokers etc. Once ‘e-trading’ began there was a shift in the way these entities carried out their tasks. These aspects can be appreciated when one notices how the Securities and Exchange Commission (SEC) of USA had to wrestle with substantial difficulties in arriving at a definition of the word ‘Exchange’. Yet, we have a definition which could lead to a lot of questions being raised: What distinguishes an exchange from a broker, dealer or other statutorily defined entity is its fundamental characteristic of centralizing purchasers and sellers by design [trading rules, procedures], have buy and sell quotations on a regular basis so that the purchasers and sellers have a reasonable expectation that they can regularly execute their orders at these quotations.
There are a number of weaknesses that can easily be spotted in the definition above. For example, is a broker, who matches orders, not acting like an ‘Exchange’? What is the difference between an original and a copy of an electronic document? A major overhaul of such terms and meanings are taking place in the present day. 55 e-trading
It is necessary at this stage to critically look at the role of intermediaries. The role of intermediaries in financial markets is undergoing a change. It is, therefore, necessary to have a new approach to these aspects of the market mechanism. Many sound theoretical formulations have been made and a brief review of these would be useful for organizations to have a critical look at their own perception on these matters. The earlier theoretical approaches were based on the assumption that a perfect market posits the role of an intermediary as one that alleviates market imperfections. The traditional intermediaries matched borrowers and savers, or buyers and sellers. In a way, this was their main task. The theory thus postulated led to the conclusion that market frictions and imperfections led to having intermediaries, who provided the remedial measures. It is increasingly clear that such a passive view on intermediation is clearly inadequate to explain the financial industry’s dramatic growth and extensive innovations. Some researchers regard intermediaries as value-adding institutions. Merton & Merton & Bodie propose a functional perspective of financial intermediation in contrast to the institutional one. They consider the economic functions of intermediaries as one of creating and testing new products before they are ‘seasoned’ enough to be traded on the market. In line with the functional approach, Allen & Santomero emphasize the role of intermediaries in risk taking and in participation costs. They argue that while their role in reducing market frictions decline, they play a crucial role in transferring and managing risk in lowering participation costs for individuals. However, the market microstructure theorists propose that the question needs to be viewed in the context of the big picture of financial systems. It is suggested that financial intermediation theory should leave its paradigm of static perfect markets and that financial institutions should be viewed in the big picture of financial systems. This approach, known as ‘microstructure’ develops a framework where the way markets work is studied. 56 e-finance
Lihui Lin et al. (2000) argue that all financial institutions act as intermediaries between borrowers and lenders or between buyers and sellers. Financial markets produce matches for standardized products. Financial markets are like retailers, while the traditional intermediaries are more like manufacturers and/or wholesalers. There is a certain limitation in the old theory not being able to define the value-addition function of market-making. Such a perspective is crucial in understanding the finance industry in the Internet era. The rapid developments have blurred the distinction between brokerage firms and trading platforms. With their integrated analytical framework, advances in technology have changed the production function in all financial institutions and these firms are differentiating their products and services and are vertically integrating with each other.
Global Developments Following the adoption of the Internet as a key trading channel by major players, the broking market witnessed explosive growth before the recent lull. In 2000, there were around 18 million accounts with more than one trillion in assets. On-line trade accounted for almost 40 per cent of all retail trade in US market. The European market more than doubled to 3.7 million accounts in 2000. In Japan, almost 1.9 million on-line accounts were reported to be in existence in 2001. In Hong Kong, there were almost a 100 on-line brokers. South Korea, Turkey, etc., were also showing a marked shift to e-trading.
The Market Developments It is interesting to see the market developments in the US and in Europe. The development of e-trading platforms in different markets have led to varied developments though the markets are for the same assets. It would be useful to review 57 e-trading
the developments in the US and in Europe. The study shows how contrasting developments can take place for the same asset in two different markets. In the US, the market is characterized by a proliferation of alternative electronic trading venues alongside traditional exchanges. Europe is notable for the absence of separate systems. The electronic systems are integrated with traditional exchanges and most electronic facilities have developed within existing exchanges. Over a period of time, continuous electronic order books have been incorporated within mainstream exchanges. European exchanges are in fact subject to far greater competitive pressure. There is a pan-European development facilitated by the emergence of the Euro. These developments have made it extremely difficult for separate trading venues.
The Indian Scenario The number of stock market investors is low; perhaps not more than 3–4 million. Unfortunately on-line trading coincided with the market meltdown. This reduced investor interest was reflected in trading in general. The total volume of on-line trading during 2000 amounted to Rs 5.017 million; total trade transactions were 25,08,445. The Indian market is fragmented—the capacity of firms to invest was also limited. Up front investments by firms were severely limited. The National Stock Exchange (NSE) permits e-broking. However, Internet initiatives will be successful if web platforms that leverage their on-line brand value, customer lists and distribution channels are built with due care. Brokers and other financial institutions have to obtain permission from the Securities Exchange Board of India (SEBI) to undertake online activities and also adhere to the stipulations of NSE for accreditation. The permission is given subject to minimum conditions being fulfilled. At the time of writing there are about 50 online brokers. 58 e-finance
With a middle-class population of 200 million, which is upwardly mobile and looks to a comfortable tomorrow, the stock market should be the perfect place to invest. However, scam-scarred bourses don’t inspire trust/confidence. A brief review of developments does show what could be considered a somewhat hesitant beginning. In February 2000, Kochi based Geojit conducted the first trade. Their volumes have gone up from Rs 30 million to Rs 150 million per month. Threshold break-even could come at Rs 10 million per month. The entire segment is in a growth stage and there is scope for multiple players. However, it appears that the growth, so far has been sluggish. It has also been observed that the switchover can take place fairly rapidly when the brokers make efforts to persuade the clients to do so. The reasons for the slow development are given below: other markets (US or Europe) succeeded during a bullish phase. Awareness and acceptability factor—consumer awareness is at low level. It is only first-time investors who have accepted it whole-heartedly. The average age of an Internet user is 27—mature older investors are not technology positive. Internet-trading takes place through bank accounts— banks are not yet on-line. Concerns about security dominate. This is perhaps the main reason. Scrips that are compulsorily dematerialized are traded on the Internet (about 600). Pure e-trading firms are not likely to be playing an important part in the foreseeable future. It would necessarily have to be a brick and click solution. Current experience suggests that a bank provided facility has a greater chance of success, since the settlement is primarily through a bank. At the same time, it must be added that perhaps the solution lies in balancing technology-centric approach to transactions 59 e-trading
with the human touch factor which will be key determinants in the transition from traditional methods to e-broking. Brand building, assurance of security, developing multiple delivery channels with ‘anytime’ telephone grievance redressal systems, are some directional changes, which would, no doubt, be of use. It has also been suggested that initial investments on technology are said to be around Rs 500 million. This is perhaps an exaggeration as some of the banks offering these services have suggested that the investments are not more than Rs 200–250 million. The lead in this behalf can come from corporate brokers. The general conditions that need to be fulfilled before a major shift to e-trading can take place are reviewed below. On-line brokers’ communications with investors should satisfy the principle of notice (timely and adequate notice that information is available electronically), access should be comparable to other forms and convincing evidence to show that delivery is complete. Add to this the elements of privacy and confidentiality. The brokers themselves could issue written statements and pre-use the review process. In some countries, even the public disclosure reports on broker-dealers must be posted on websites to allow for better informed investors. ‘Suitability’ and ‘know thy customer’ rules are also being enforced. These rules oblige brokers to make certain determinations—such as ascertaining investors’ financial status, tax status, investment objectives, etc., before making a transaction.
Operational Cycle Logging in, placing an order and having it fulfilled has raised complex problems. Technology solutions have to start from front end of the Internet. Then it needs to get into the ‘middle tier’ of risk management systems that access data, calculate client risk at the point and give the go/no go advice. This in turn is connected to the back end of the branch office, where the accounting modules pay in/out operate. 60 e-finance
These solutions must work for thousands of trade orders. From an individual’s point of view, the operation is simple and can be described as under: The individual investor opens an account with a firm and there is a minimum balance deposit. Once an account with a broker is opened, he or she can place his/her order(s) directly through the Internet by logging on to the brokers’ sites and entering orders for execution. These orders can be open, market or limit orders.
The trading models in equity markets can broadly be divided into two categories: Order-driven systems that combine all bid and ask orders into one central order; or Book and automatically match the orders without any intermediaries. Major stock exchanges use this system to automatically match the order of dealers. The quotedriven systems bring together dealers that provide twoway prices for securities. The bid-ask spread constitutes the profit for the broker/system. There are certain parallel developments, which also need to be considered. An Electronic Communications Network (ECN) facilitates investors who can use a computerized network for placing their orders. They can place their bid price for a share or set their own selling price in an ‘off-exchange market’. These are generally the preferred routes for institutional investors. The Instinet operated by Reuters is a good example of such an ECN. ECNs connect buyers and sellers without relying on brokers. Trading is thus cheaper and quicker. Direct access trading is a type of on-line trading. When an investor makes an order on-line, the brokerage firm routes the order to a market maker and gets a commission for the order flow (Payment for Order Flow’). The 61 e-trading
investors have to use particular software for trading in this environment and the use is limited to sophisticated institutional investors.
Impact on Market Architecture The impact of e-trading on market architecture, the pricing of products and services, the risk profile etc., are examined in this section. Markets can be described in terms of a number of key features, which combine to determine the form of trading that occurs. These features of market architecture include which participants have access to the trading platform, the degree of transparency in the trading process and the trading protocols, such as order types and opening hours. Related to these are aspects relating to market quality, such as trading costs and liquidity. Included in this group are features like order flow interaction, access for end-users (direct/intermediated), and market quality (fragmented, centralized and/or consolidated). The current market structure can best be described as a hybrid one, where many different trading systems and trading mechanisms co-exist. It is too early to say how markets will develop, but several market participants expect a transition to more centralized and open markets. In certain markets we may even have end-users transacting directly with each other. This could occur in different ways. Multipledealer systems (single platforms where customers can approach several dealers at the same time) may widen access to include other dealers, thus enabling inter-dealer trading on the system. These aspects may appear to be matters of purely academic interest, but are really important for decision makers since a number of strategic-planning decisions could well depend on these. E-trading generally results in low variable costs, but entry costs and costs on advertisements could be substantial. The 62 e-finance
fixed cost components are considerable. The initial development costs of IT infrastructure is naturally high but could be mitigated if the existing infrastructure were used. It has been amply demonstrated, that e-trading is certainly more cost efficient. The straight-through processing is bound to be advantageous and once standard settlement and clearing procedures are in place, its potential would be fully realized. E-trading offers potential to make markets more transparent. It is not restricted to information about price alone, but the user has the full log of the transaction behaviour. The fact that e-trading is location–neutral and facilitates multilateral interaction, is the main contributory.
Risk Profile The advantages to a customer from multiple access and lower costs have already been referred to. Far more important are aspects pertaining to risks. The customer must accept the fact that he has to adapt and accommodate financial market experimentation. His worry would be if the institution with which he is dealing, or the system could be at risk. At this stage, it is difficult to predict the risk profile in a single market. The technologies change the way in which markets can operate and firms can be organized. These changes bring about consolidation, aggregation of activities, creation of new products and the entry of newcomers. The trouble is to discover these aspects during the period of transition. It would, therefore, be necessary for management to clearly communicate to customers all these aspects and try and reduce the apprehensions.
Operational Risks The growing use of e-trading systems has been accompanied by a parallel increase in trading delays and outages on these systems. These are genuine difficulties and cannot be taken lightly or wished away. The relieving feature is that the 63 e-trading
outages did not occur because of the incapacity of their system to handle large transaction volumes, but rather from upgrades to expand capacity and to improve capability. The vendorsupplied software, which is used for order processing, experiences problems and these problems are transmitted to a number of firms. It would be pertinent to mention other factors causing such breakdowns and consequent delays. Increasingly self-regulatory organizations mandate that member firms have adequate capacity to handle high volumes of web orders. For instance the National Association of Securities Dealers (NASD) reminds members of their obligations under SEC Staff Legal Bulletin No. 8 to ensure that they have adequate systems to handle high volume or high volatility trading days. Similarly, firms are categorically advised that investors must not be misled through public statements. Misrepresentations or omissions of material facts in public communications violate NASD rules 2210 and 2110’ which require members to observe high standards of commercial honour and equitable principles of trade. Investors would be well-advised to ensure that these difficulties are solved by an arrangement with the broker for placement of trade via alternate means, for example, by making a phone call. The investor should never walk away till an order confirmation is seen on the screen. Of course, if the order cannot be processed, the best course would be to change your broker. Unfortunately the regulations do not stipulate that orders need to be processed in a given time-frame. Despite their frequency and sometimes length, the delays have not had systemic consequences. These could perhaps be due to the fact that delays have not been too prolonged and also sheer coincidence that they did not occur when the markets were in the eye of the storm.
Margin Trading Investors will now have to guard against brokers who give them too much credit, since margin trading is permitted. 64 e-finance
Margin lending simply lets you borrow a certain amount against the value of your stocks and trade with that money. Another factor called marginability must also be taken into account. How much you can borrow to trade depends on the concept of marginability. It would be prudent to mention that the margin trader is necessarily concerned with immediate results; he hopes to swim with the tide and also hopes to gauge when the tide will turn and to reverse his strokes the moment before. The typical result could be temporary success ending in complete disaster. The discussion, so far, has brought out the problem areas that management would have to bear in mind when they decide to change over or add the activity anew as part of their expanded product mix.
Trading in Foreign Exchange Developments in the area of foreign exchange trading on the Internet is reviewed here. It would not be incorrect to say that e-trading is being applied first to transactions in liquid and homogenous transactions than to larger transactions. Perhaps the counterparty risk factor dissuades investors in using the mechanism. Currently, the foreign exchange market and the market for fixed income securities remains fragmented and are segmented into an inter-dealer segment and a dealer-to-customer segment. Most customers have shown their preference for trading through dealers. In the inter-dealer market, trading is moving from bilateral over the counter relationships towards a marketplace with more centralized price discovery and transparency. This is noticed more in the foreign exchange market than in the fixed income segment. It would be premature to predict in which direction the markets will move but the present state is best described as a hybrid one, where many mechanisms co-exist.
65 e-trading
Trading in Fixed Income Securities On-line trading in the fixed income securities market is of recent origin—barely five years old. Trade-Web was the first on-line bond market. Now a number of platforms that are competing amongst themselves and with the traditional players have emerged. As stated earlier, the market is fragmented. The trading systems could broadly be divided into categories according to: (a) the trading model used; (b) the ownership structure; (c) source of prices for securities (d) customer base; and (e) coverage and product.
Trading Models These can be broadly classified as under: Auction Trading Platforms, Inquiry-based Systems, Cross-matching Systems.
Ownership Most of the brokerages are expanding their services globally and forming joint ventures with local brokers in emerging markets.
Letters of Credit through Electronic Means The International Chamber of Commerce has taken meaningful steps in streamlining the practices consequent to electronic presentation. The first step was to stipulate that a credit subject to the eUCP is also subject to the UCP without its express incorporation. Simple terms are then defined, like ‘appears on face’ or ‘document’ or ‘sign’. This is an extremely useful step and for trade practices to evolve, a beginning has to be made and 66 e-finance
those wishing to use the means must refer to the supplement to the Uniform Customs Procedure (UCP) 500 for electronic presentation. Increasingly, the means used for export/import trade would be electronic and banks and financial institutions must be thoroughly familiar with these practices. Further, ongoing difficulties must be brought out and doubts resolved. In conclusion it could be observed that customers are showing a marked preference for emerging technologies and trading practices. It would not be incorrect to say that customer pressure is the driving force behind the changes taking place. Security considerations and transparency are the main customer requirements, in addition to the risk factors normally associated with such trades.
67 e-trading
six
e-banking What Led to E-banking?
T
his analysis begins with an explicit assumption that a bank has in principle (no doubt after a hard look at its financials and other factors), decided to establish, if not immediately, at least in the not too distant a future, an Internet banking facility for its customers. It is further assumed that the decision is based on a conviction that the step is taken out of the bank’s own requirements, or even ‘compulsions’ arising from business requirements. A number of cooperative banks and medium-sized commercial banks appear to be headed in this direction though they do not appear to have examined the various available options fully. Consequent to liberalization and deregulation, the financial services industry, in general, and smaller but reasonably wellestablished banks (say co-operative banks) are faced with problems necessitating radical changes in their working. Given below are some of the problems that have a bearing on these issues: Large workforce: that is used to job security, not exposed to working in a competitive environment and is somewhat reluctant to upgrade the skills required to work in an automated environment. The clamp down on recruitment has resulted in the workforce comprising middleaged staff with 15–20 years of service behind them. This leads to high transaction costs. 68 e-finance
Slow pace of ‘technology change’, Indifference towards customer service, ‘Thinning’ margins, Falling share in foreign exchange business, Competition from the hostile ambience of retail markets, Technology ‘savvy’ private banks, Migration of high net-worth clients. The desire to introduce e-banking could emanate from factors which have a positive as well as a negative impact on their working. Banks that have decided to explore e-banking are likely to use Application Service Providers (ASPs). The reason for this is that the policies pursued by HDFC Bank, which are regarded as not only ‘Technically Superior’ but also highly profitable and, therefore, worth emulating. Its treasury, corporate and even retail activities are mostly automated, with a strong focus on on-line connectivity and e-commerce. They use (in partnership with I-flex solutions), e-commerce solutions provided by I-flex. Wipro handles their data centre management. HDFC is now able to provide application support services to other banks as well. Realizing that there is a huge niche market awaiting developments, ASPs will be able to play a useful role. In fact, ASPs worldwide, are a growing tribe. The challenge is to choose one which will meet the banks’ needs properly. There are, no doubt, certain advantages in choosing ASPs. A bank could achieve its automation objectives without huge capital investments and with limited costs. The HDFC bank and I-flex have formed a business partnership to provide such services to small and medium-sized banks. This would facilitate the use of such services by small banks.
Choosing the ASP How should a Bank decide on which ASP to choose? Gartners have pointed out that an ASP should have a strong focus in the industry, a good brand name and developing real 69 e-banking
know-how with specific tailored solutions. Although these characteristics would make the ASP quite acceptable, it must also provide some unique, specific software solutions which would ensure a competitive edge for the bank. Banks’ automation, so far, has been one of a standardized ‘one-size-fits all’ solution. In one instance, 4–5 software vendors were identified and banks were asked to choose from amongst those. It was almost forgotten that automation could be a major competitive tool. It is also not certain whether the outsourcing environment is adequately and truly secured by confidentiality conditions. There is a genuine concern regarding this because the ASPs would then not be able to assess specific customer requirements or problems faced by the bank(s). They would offer only general solutions. In this context, it could be said that the transformation to e-banking does necessitate considerable preparations within the bank itself. Training of staff is a major problem. Professor Padwal has attempted an estimate of the quantitative dimensions of the training problem and they appear forbidding. Further, it is possible that not every bank customer has access to a high-speed dedicated line(s). Many are likely to be struggling with a 56k modem connection from home and waiting for 10–15 minutes just to find out their bank balance is not a worthwhile activity. Many banks took the first step in this area by building their own websites. We begin with a review of these.
Bank Websites Chapter three has briefly discussed the problems faced by banks in building and maintaining their websites. Today, online delivery is not only about websites accessed through PCs. Customers would soon begin to consider using of on-line devices such as PDAs and mobile phones (Wap enabled). Once again, the spread of mobile phones would make it essential for those banks which already have websites to rethink about the design along the lines previously indicated in chapter three. 70 e-finance
When a bank embarks on a technology solution, it is essential that it does not blindly jump on the bandwagon, but critically looks at the limitations and issues that surround such a strategy. Further, the bank must never lose its customer focus, as solutions are for the benefit of the customer also. Accepting multi-channel delivery in an e-world is a necessity. To a great extent, the design for services for these channels depends on human behaviour and the financial institutions that recognize this and understand how best to present the services to their customers would be the most successful (see chapter seven). There is one major pitfall that should be avoided. Although anywhere anytime banking would imply that the bank is ready to offer all services across all devices, it is a totally useless concept which ignores not only the functionality of a channel but also people behaviour. Banks must have before them the way a consumer looks at a product and the way he/ she is likely to approach the bank. A discussion with the Chairman of Barclays Bank several years ago, around the time ATMs were established, revealed that it ignores the possibility of a customer wanting to talk. There is such a thing as a human touch. His advice then was not to underestimate this aspect, valid even today. Further, correctly looked at and handled, banks could ill-afford to ignore this opportunity for a feedback session! Will relationships between a small customer and business go the way of the horse and buggy? Will bank products be primarily sold in the financial market place as commodities, or will personal service and contact still matter?
Stand-alone E-banking There are a number of banks today which regard the Internet as a tool to deliver products; others see it as a separate line of business for the bank. Here, the performance of stand-alone e-banks is reviewed. In course of time, the emergence of new entities in this field is a distinct possibility with newer 71 e-banking
approaches, work culture, etc. For instance, a major telecom company like Reliance or a technology company like Infotech may decide to explore the area and set up a stand-alone ebank. Recently, the London Economist published a review of the working of Internet banking, focusing on the reasons for their failure. Amongst the causes listed were a) customer resistance; and b) expenses incurred on advertisements. The study no doubt highlighted the problems faced by standalone banks. However, subsequent studies, particularly Robert De Young’s 2001 work, does throw considerable new light on the functioning of stand-alone banks, in which websites are the only delivery channel. Theoretically, low overhead expenses and access to larger geographical markets should allow better prices (higher deposit rates and lower interest rates on loans). It is true that in practice, they are struggling for profitability; nor are they dominating traditional banks with branch networks. It must not be forgotten that as these e-banks age, they accumulate more experience. Although these results have not been extensively measured in banking, some recent studies do point to the fact that the performance of banks improves over a period of nine years. According to De Young (2001), the first is the maturity experience. As a new bank ages and its employees accumulate general banking experience, the maturity effect would transfer this experience into improved financial performance. This transformation occurs through improvements in numerous aspects of financial performance, such as cost control, risk management, marketing or pricing policies. There are two distinct possibilities. In the first instance, ebanks could draw on a talented pool of manpower available and make use of technology more effectively. There are areas where, even in large banks, technology is not being harnessed to the extent required. Stand-alone e-banks can handle areas like asset liability management, risk management or even investment management, more effectively because there would be less inter-departmental conflict. At the same time, these entities could experiment with the Drucker model. For 72 e-finance
instance, hospitals are run by part-time consultants. In the same way the core staff could be augmented by such consultants and the experience learning curve could be shortened. E-banks could also begin with broking, which is a profitable activity and then enter other business activities. The second instance pertains to technology. Although it may take time for customers and managers to get used to the new technologies, they would eventually have an edge over others in translating this into an improved financial performance. With the scale of operations changing, the technology effect transforms into improved financial performance through a reduction of unit costs. De Young has in his study, compared the performance of newly established banks with established banks having branches. The analysis shows that on a purely static basis, newly chartered Internet banks perform poorly relative to newly chartered traditional banks. The dynamic analysis in Table 6.1 suggests that the performance improves more quickly over time at the Internet-only start-ups and the evidence is consistent with both technology-based effect and technologyscale effects (see Tables 6.1 and 6.2). Table 6.1 Internet and Non-internet Banks A Dynamic Analysis Dependent Variable
Static Analysis
Return on Assets Return on Equity Interest Margin/Assets Equity/Assets Non-interest Expenses Premises Expenses/Assets Labour Expenses/Assets Wages (Full time employees) Non-interest Expenses/Assets Depreciation/Assets Loans/Assets Non Paying Assets (NPA) Asset Gross Rate (annual)
0.0310 0.1096 0.0002 0.1034 0.0214 0.0015 0.0045 0.0083 0.0154 0.0700 0.0636 0.0000 0.7524 73 e-banking
Dynamic Analysis 0.0094 0.0123 0.0004 0.0334 0.0158 0.0008 0.0047 0.0022 0.0104 0.0417 0.0208 0.0000 0.0086
0.0078 0.0006 0.0005 0.0126 0.0148 0.0013 0.0084 0.0014 0.0053 0.0381 0.0331 0.0006
Table 6.2: Internet and Non-internet BanksSelected Balance Sheet Ratios (a) Loan Comp. (b) Funding Asset Size Category
74 e-finance
Less than $ 100 mn $ 100 mn to $ 1 bn $ 1 bn to $ 10 bn $ 10 bn and over
Deposits /Assets
Purchased Funds/Dep.
C&I Loans/Loans Credit Cards
Internet
Non-internet
Internet
Non-internet
Internet
Non-internet
20.4
16.9
.5
.4
82.1
85.1
17.9
18.1
1.7
.9
78.9
82.3
24.5
17.8
4.2
.9
68.6
71.8
66.1
11.7
34.1
2.8
Most banks that use the Internet-only business model are struggling for profitability and it may lead one to conclude that this model does not seem to be a particularly successful one. However, the study also shows that profitability ratios and non-interest expenses ratios improve more quickly over time at the Internet-only start-ups than at the traditional startups. If these trends continue, the Internet-only business model could prove to be a viable business proposition. There is one question which remains to be resolved. It is now clear that the earlier fear of the complete disappearance of brick and mortar banks is definitely not a possibility in the near future. Thus, why should the management not increase its geographical spread? The option is not only open to them, but is also a viable one. An analysis of key ratios of their respective balance sheets shows that the brick and mortar branches do perform better than branches of Internet banks (see chaper one). It cannot be ruled out that there is a fairly high degree of scepticism about the viability of e-banks. The reasons for this arise from the fact that these banks have not been performing as well as they should have. For example, the entry of most successful ‘pure play’ Internet bank, ‘EGG’, was dramatic. It developed a customer base of 1,50,000 customers and 1.3 billion pounds sterling in deposits. In the first three months, it had over a quarter of a million customers and deposits of 5 billion pounds. The customers were not only affluent, but also technology literate. It had a very substantial share of mortgage loans and was considered a great success. EGG was widely hailed as a strategic triumph that revolutionized British banking and the most extraordinary success story in new customer acquisition that retail banking has seen. However, underneath it lay faulty banking policies. It offered a savings rate that was higher than the prevailing market rates, which meant negative deposit margins and in effect giving money away. So although it initially did succeed in scaling dizzying heights did it make money? Would it make money over a 75 e-banking
period of time? Not in the near future, given the accumulated losses. What banks lose in higher deposit rates could be made good by maximizing the price or rates at which they lend. However, it is doubtful if one could lend at rates higher than the market rates. The competitive dynamics of the market place would force prices down to gain sales at the cost of margins. For standardized, low-risk products such as mortgages, competition is severe; no bank could afford to charge more. For high risk, unsecured lending, risk should be the main consideration. The primary determinant should be risk, not merely competitive margins. Traditional banks have one more bow to their string, i.e. the fee income. Unfortunately many Internet banks waived such fees. In the business ‘model’ described above, it would be difficult to make profits. This is exactly similar to other low margin businesses. Scale is the only way out. To build scale requires a relentless focus on attracting customers at any cost (which leads to lower margins). This leads to a vicious circle of destruction of profits. Questions regarding the high costs incurred by banks are often asked. Since traditional banks have high cost structures (translating as poor cost discipline), it is suggested that the protected environment of domestic banking has given rise to inefficient dynamics of domestic banking. On the other hand, Internet banks have low costs. It should be possible for them to offset the ‘losses’ elsewhere. These banks would make their money on very low operating costs. It is however, clear that lower margins and lost fee income cannot be recovered by a low operating cost. Nor is the influx of high net-worth individuals with an idle balance in the account able to offset the fundamentally flawed ‘economics’ of the business. In an article in the Asian Banking journal, Scott Roman (2000) estimates ‘that these Banks would have to triple the average balances of their customers or further reduce costs by 47 per cent’. Clearly, both these options would be difficult to exercise. The only option is to start pricing sensibly. The logic of the banking business demands that breaking the fundamentals of 76 e-finance
business is not a feasible proposition. Rather, adherence to the basics alone, can protect ‘shareholder’ value. The problem is compounded when we note that the size of the market is considerably small and growth can be at the expense of another institution. Marketing then amounts to ‘poaching’. Obviously, a price is extracted for such a transfer. The lesson is that pure play Internet banks must decide whether they are looking at themselves as ‘business entities’ or as delivery channels. This would affect their marketing strategies as it could lead to a situation where banks become desperate to be available on the Internet, but neglect to persuade customers to choose their facilities. Many banks do not offer an incentive to bank on the web. Customer emails were not responded to even after a lapse of 8–10 hours. Apart from the competitive strategic considerations (offensive/defensive), banks would have to wrestle with some crucial issues. Can the bank make money in the new arena? What is the direction they should move in and what skills and resources would be needed? Many analysts have pointed out that prowess at information management was considered as a prime determinant of on-line success. It has often been suggested by the author that an important window of opportunity is open right now—a time when valuable on-line customer relationships can make substantial headway in an open field. While considering the revenue side, the evidence (no doubt, somewhat sketchy), suggests that e-bank customers bring in more deposits and tend to buy more products. The average life of their accounts is longer. Although it is a fact that there are some banks which consider Internet customers fickle, more substantive arguments centre around whether customers pay for a channel or whether they pay for the products. The oftcited example is that of ATMs—where banks had to provide ATM channels to retain customers and to remain competitive. Such techniques are not regarded as defensive. An activity undertaken merely because every member of the league will have to enter it some day can hardly be sustained or carried 77 e-banking
out with a degree of commitment. A quick review of customers who are Internet users today shows that they are either in the high income group, or will be in the not too distant future. Customers in certain categories want convenience and easy business solutions with their bankers. An important consideration at this stage, is to judge if they have the required creativity and skills. These will have to be harnessed to ensure reliability—systems must operate perfectly for customers. If the banks roll out a channel and fail to grow revenues or extend the average account life to justify the increased cost, then it is the bank which has made a mistake. These banks have a complex set of challenges in allocating resources, integrating systems and in developing a clear picture of customer profitability. It has been suggested in the last few years to undertake a strategy of integrating IT with an organization’s overall business model. An Internet strategy has to support the overall strategy—it is however, not the overall business strategy. No bank should lose sight of the fact that the Internet is only one medium among many channels that customers do and can use (the obvious exception is the Internet-only bank). Banks would need a clear view of both their brand positioning and what type of organization they want to be. They must also undertake step-by-step planning to: Identify their priorities and determine critical success factors. Create an e-business road map. The bank must be able to deliver solutions quickly without sacrificing long-term flexibility. Every phase of the planning process should focus on delivering solutions that meet and exceed customer expectations. It is important to decide on what resources are required, both in terms of costs and people to successfully deliver e-programmes. Technology and business strategy (as is being repeatedly stressed) must go hand in hand. An ‘e78 e-finance
channel’ must be consistent with the overall direction of ‘e’-business. Before taking up specific issues, it might be useful to remember that for established banks, the problem is extracting optimal performance from traditional business lines, while simultaneously transforming their banks as competitors in ecommerce. A major financial upheaval would put a restraint on resources available for reinvestment in commerce and reignite concerns about stability of earnings. However, the fact is that a banking geography-centred model is being supplanted by an electronic system. The experience of stand-alone banks has led to an integrated banking structure, known as ‘brick and click’ banking, which is now becoming an industry ‘norm’. One reason for the emergence of such an integrated structure is due to the response of the existing banks to the emergence of these new entities. According to The Economist (2001), ‘Their physical rivals have become wiser, launching their own integrated strategies (clicks? n bricks?) that offer customers electronic access as well as dark satanic branches.’ They allow their customers to do their banking on line. Further, customers were also not too keen to throw away the ‘yoke’ of branches, as there were concerns regarding the security of e-banking. Traditional banks were considered safer. It has been mentioned earlier that while marginal costs may be negligible, fixed costs are substantial for stand-alone banks. How should the banks then approach these problems? Given below are some of the priorities IT departments should keep in mind. These include: An architectural vision to avoid expensive short-term investment decisions. Evolution of systems as opposed to a ‘revolution’. Careful selection of language for an easy interface (for example, XML). Choosing the right middleware system. 79 e-banking
Early computerization efforts included the effort to meet deadlines, deciding the number of branches to be computerized, etc. Today, IT departments would be under intense pressure to bolt it to the existing system. A word of caution here is that the latest may not be the best route to operational efficiency. The important question is how these fit into the mid- to long-term view of the IT infrastructure of the bank. With the entry of large banks into e-businesses, the way banks implement and deliver their business applications will profoundly change. Second, it would mean multilateral communication between branches, head offices and customers. When a number of easily implemented on-line services become available, corporate and financial institutions will find it easier to move their business from one bank to the other. Banks would, therefore, have to predict customer’s decisionmaking characteristics, as well as providing value-added services. Basically, banks will have to maintain a flexible, responsive organization and discover new ways to stay close to the market. The Union Bank of Finland’s (UBF) electronic delivery system ‘Solo’ is reviewed below. The bank is a leader in electronic banking. Their ATMs were installed in 1978. The electronic data interchange started with its magnetic tape and followed by telephonic transmission over telephone lines. It started the first banking service for micros/PCs in 1984. The development of e-banking has one important condition: it should be profitable both for the bank and the customer. It is not surprising, therefore, that UBF closed 150 branches within five years and reduced the number of employees substantially every year. The bank has an Electronic Data Processing (EDP) architecture and development plan. For many years UBF has been able to follow this particular development strategy and uses other strategies as appropriate. In a competitive environment, this forces other banks to follow and to copy. The system architecture consists of three parts. User interface, telecommunications and the systems supporting the 80 e-finance
services. The systems architecture can convert the services to different media which the customers use. The system allows 24-hour service and availability is nearly a 100 per cent. Another example is that of Singapore’s United Overseas Bank (UOB). The UOB’s Chief Information Officer maintains that the ability to roll out new products has been painstakingly based on a solid foundation built since 1995. The bank worked on the belief that when the Internet really took off, there would be an explosion in terms of demand for technological capabilities, data and services in the future. The bank, therefore, built robust systems that would be needed for the speed and high volume transactions. The most significant aspect was the appreciation of the strain on the back-office (back-end) systems. The use of a relational database became a major resource. The process has covered not only technology, but also people issues. The attempt is to ensure that transactions are end-to-end and flowing through the database. Every time a new service is launched, a unified view is taken. The philosophy of UOB was to be at the centre of e-banking commerce activities. The Federal Deposit Insurance Corporation (FDIC) enumerates the main element of e-banking that need to be kept in mind which are discussed at some length in chapter thirteen as follows:
Planning and Development Inadequate decision processes while considering, planning and implementing electronic capabilities. Impact of technology costs and pricing decisions. Strategic implications of activities. System design and capability and its compatibility with customer demands. Uncertain applicability of insurance coverage of electronic activities. Equally significant are technical competencies, the bank’s control procedures, confidentiality of information, etc. 81 e-banking
Products and Services The products that are generally being offered by banks are analysed in this section and suggestions regarding the priority areas are made. Chapter two described the products which are part of a standard offering. Given below in Box 6.1 is the same information for easy reference. It is now customary to divide these into basic and premium products. Box 6.1: Products and Services offered by Banks Basic Balance Inquiries Funds transfer Bill payments
Premium Includes all the basic services New account set-up Cash management Fiduciary Bills presentment Insurance
Details regarding the services offered by large/mediumsized banks are presented below. These comprise not only banking services, but also other products. The UOB offers a virtual market hub to source and showcase its products. Businesses can source, request for quotes, order on-line, invoice, track orders and pay on-line. However, in the first instance, various ‘banking’ services are dealt with and then other ‘offerings’ are considered. Before looking at the ‘products’ it is necessary to take note of one peculiar criticism viz. net customers being ‘expensively fickle’. The main thrust of the argument is that bankers should have a precise measurement of channel economics and usage and relationship profitability. Some critics have gone to the extent of saying that since deposit withdrawals/cash payments or cheque deposits cannot be handled on the Internet, it is not of much use for the vast majority of customers. Further balance and transaction enquiries can be made on the 82 e-finance
telephone. However, these are positions of an extreme nature and the growing use of the Internet clearly proves otherwise. In the first place, it cannot be denied that an important window of opportunity is open right now—a time when valuable customer relationships are up for grabs. Wells and Fargo have indicated that on-line customers bring in more deposits and tend to buy more products. According to many bankers, these are durable relationships. Today more than ever, customers want convenience, an easy way to do business and are willing to let the bank have the required particulars to enable it to fashion products to suit given requirements. One particular aspect, is a constant emphasis on reliability. Most bankers insist that systems have to work perfectly for the customer. The second imperative is the enhancement of the product(s). The other important factor is the question of reviving personal relationships. The banks can use technology to build up such relationships easily. At this stage, it is also necessary to review the developments in ‘e-commerce’. E-commerce is fuelling the birth of new industries. The size of the opportunity is open to debate but experts agree that the magnitude of e-commerce is greater than any other opportunity the industry might embrace. It has been predicted that by 2004, world Internet businesses would reach a magnitude of $ 7.3 trillion. One of the responses is to differentiate amongst e-commerce solutions. The one segment where banks enjoy regular advantages and have developed core competencies viz. the B2B segment affords a unique opportunity. E-commerce has expanded the areas where banks can add value for their customers, particularly the banks’ role in payment systems settlement and the capacity to evaluate counter-party risks. These are their core competencies. It is, therefore, natural that banks should have a substantial penetration in B2B areas.
B2B Applications Many banks are widening their on-line offerings by providing content and services, in addition to banking transactions. The 83 e-banking
first forays comprised developing a port network primarily for the use of employees and corporate partners. These allowed the banks’ customers to communicate via a portsecure net connection. The great advantage is its secure nature. The competitive pressures and thinning margins on banks’ traditional business, are forcing banks to concentrate on developing ‘relationships’. Over the past decade banks focused on ‘efficiency’ to make up for the losses suffered. Consolidation, automation, downsizing and outsourcing have been relied upon during the earlier phases. However, the need to develop customer equations was ever present. The automated processes freed the dealers, managers etc, to build up a relationship with corporate clients, and high net worth individuals. Apart from rendering their existing services, banks began offering a host of other services. We discuss these in some detail below. The corporate Intranet is increasingly being used as a marketing opportunity, a way to win a position as a company’s ‘in-house bank’ and attract customers for their on-line services. Some large corporations have tens of thousands of employees, who can provide a number of opportunities. These could be described as business to employee portals offering a cluster of bundled services. Wells Fargo is offering on-line services (in addition to an on-site branch) to employees. However, employee accounts are not particularly ‘profitable’ for banks. A number of banks undertake salary payments for their clients. The experience suggests that most employees leave only the bare minimum balance and corporate customers are reluctant to pay for the services rendered. The reason banks do this, is obviously to build a relationship. It would be cheaper than staffing a branch at a client’s site. The customer base increase does not follow merely because an intranet facility is available. Employees are not likely to switch their allegiance unless there is enough reason to do so. Some staff unions have expressed fear over ‘big brother’ 84 e-finance
watching the entire gamut of operations, while others feel it would lead to the employees being tied down to the office, reducing the necessity to visit a branch! Banks have two choices in these matters. They could build a package, make it attractive and sell it, or they could customize products to suit employee needs. Thus, a bank may even have a ‘travel agency’/vacation planning service available on its portals. It is however, clear that a number of other organizations like financial aggregators, mutual and pension funds are also entering the arena and banks have to also gear up in order to compete. This is an area which Indian banks need to explore thoroughly. The other area of interest is ‘e-procurement’—the process of purchasing corporate supplies on-line. B2B spending is substantial and amounted to $ 335 billion. It is likely to soar to $ 6 trillion in the near future. The rationale for this is simply to streamline corporate purchases. It leads to cost savings and increased speed to parties in each transaction. The customer in effect, could set the rules through on-line requisitions. The banks’ wholesale offerings will develop into the kind of a single-entry point for corporate customers to access the array of financial services offered, as well as a host of valueadded services provided by third party providers The banking and finance sector has been a rapid adapter of e-commerce since its products could easily be virtualized and the product had priority over the location. Banks have to move aggressively in seeking alliances and establishing joint ventures. Thus: Banks can become technology providers to start up new business streams; Become context providers for setting up e-market spaces; and Enablers by providing backbone systems to provide multiple payment systems. 85 e-banking
A comparative study of offerings by Australian and Indian banks showed that the products/services offered by Australian banks was superior. Although the lack of demand in rural areas is a cause for concern and accounts for the slow uptake, they generally provide: a) interactive services through account monitoring and management services; b) value-added services, such as insurance management; c) on-line securities trading, foreign currency transactions; and d) electronic reminders. These banks also pay greater attention to security. In India, as discussed earlier, only a few banks are offering these services, though the Internet connections had crossed 4.5 million The facilities are used largely by corporations and a new generation of professionals. The Indian Banks Association (IBA) launched Electronic Funds Transfer (EFT) and electronic clearing system (ECS). The Institute for Development Research in Banking Technology (IDRBT) launched its EFT and real-time gross settlement system with services available throughout India. These should now prompt banks to move into the electronic era. Banks with such high transaction costs cannot forget that the Internet reduces four types of costs: Costs of manual processes; Reach to consumers for promotional purposes; Market research; and Individual communication. Morgan Stanley Dean Witter estimate that the transactions would be worth 7 trillion by 2004. Therefore the need to authenticate this data would be quite critical. Security and identity issues are the most significant barriers to the growth of B2B commerce today. Digital certificates allow companies to be certain of their trading partners in an otherwise anonymous environment of the Internet. It is imperative to identify trading partners for a company, while for banks, trust is being increasingly seen as an opportunity. A bank’s business is all about trust. Therefore, banks can act as public key infrastructure providers. 86 e-finance
The model of a bank providing the Public Key Infrastructure (PKI) solution and having a root authority through which the banks can cross-reference certificates, is the most natural model. When businesses attach digital certificates to their business communications, the banks can exchange root keys to identify each of the trading partners. The root authority would need to create standards by which this process can take place. There are however, some skeptics who see no utility in bringing in third parties in trading transactions. They feel that there may be some serious security issues if companies are required to give over their details and security regulations to another organization. Thus, banks could go beyond financial applications, such as payments and transactions, to offer negotiation services, contract signing, purchasing and supply chain collaboration. Further, banks must be able to operate in a multi-key environment.
Retail Banking Many Indian banks have expanded time, efforts and resources in building branch locations and developing various proprietary systems, such as dial-up facilities. Why should they now turn to the Internet? Several important factors here need to be kept in mind. (a) customer expectations; (b) high cost of operations reflecting in abnormal service charges (Rs 100/– for issuing a cheque book or Rs 250/– for not maintaining a minimum balance). (c) ICICI and HDFC banks are well ahead of their competitors. For changes to be sustained over a period of time it is emphasized here that they must be rooted in the bank’s own genuine requirements. As such, two aspects of the problem come to the fore. The first is a more efficient use of capital and the other is creating an image more acceptable to the market, through which further capital flows can be accessed. The capital adequacy norms have made it an added advantage. 87 e-banking
The banks’ major concern is its advances portfolio. Most banks have identified small and medium enterprises as the major thrust areas for banks. The blue-chip companies are squeezing the banks for a low sub-prime lending rate and naturally the small-scale sector is emerging as the most promising segment. The SBI has launched two new products: SME+, which gives small and medium enterprises (SMEs) an additional ad hoc borrowing of over 20 per cent of the overall working capital limit. The borrower can draw on it six times a year. The launch of the SME credit card is the other. The Bank of Baroda will undertake its marketing through zonal as well as the headquarter’s level. These advances are obviously not risk-free. All the risks associated with lending irrespective of the segment, size of the borrowing, etc., are present. Thus, there is an urgent need for monitoring, guidance in cash management, recovery of dues, etc. This segment also offers the most valuable opening to banks for their Internet activity. A positive factor is that most of these customers have ‘accounting’ packages which work with the help of a computer. Many of them are required to spend considerable time in liaising with their banker and meeting the information requirements of their banks. Delays in submission of such statements leads to a certain laxity in monitoring of the operations. Internet and related services are not mere channels for distribution. They are merely a different way of providing financial services. Using credit scoring and other data mining techniques, banks can create tailor-made products without much cost. They would build a consumer profile and have loan pricing which is more ‘personalized’. It has been observed in an earlier section how ‘e-procurement’ can become a major source of activity for banks. Further, most of the time in sanctioning the borrowers’ requirements is spent in the assessment of credit risks. A situation is envisaged where credit rating agencies could step in and provide a web-based service to bankers and others by undertaking such an exercise. 88 e-finance
Exploring this a little further, let us assume that we need to get as much information we can on a particular company in the shortest possible time. The easiest way would be to have this information through the Internet. Today, only public companies or companies that want to take deposits obtain such ratings. Why should rating agencies not extend the scope of their activities by bringing in smaller- and medium-sized companies also? After all, banks require the following information: (a) company’s background, (b) public record data to see if there are liens, judgements, etc.; (c) Registrar of Companies filings, etc.; and (d) audited financial statements. Borrowers will carefully choose an agency, possibly finding it convenient to submit it to one source and be rated by an agency. The Reserve Bank of India (RBI) in its reply to Bank for International Settlement (BIS) suggestions, had rejected the idea of a credit rating agency having an important role in risk management. However, sole dependence on an agency is not recommended. The bank could make its own judgements in the light of its experience in financing a given activity. The idea is already being analyzed elsewhere and sites like www.transunionbig.com, and www.infousa.com offer many of these services free. They receive their income from advertisements. Banks can also provide B2B procurement services without extending them beyond its own customers. For example, a directory to help small-scale industry customers to locate buyers for finished goods and supplies to meet their raw material needs can be designed. Even within the confines of a state, many borrowers find such information valuable and could help build long-term relations. In this way, payments can be made through the bank and both sides of the transaction are sure that at least the intermediary knows the counter-party well and can act as an arbitrator in case the need arises. A major problem faced by SMEs is the need to extend suppliers’ credit. At present, the period extends from 45 days to 180 days and invariably extends beyond the stipulated 89 e-banking
period. A bank, through its bills presentment and payment services, can be of considerable help. Internally, banks will now find that ‘tools’ are making small business lending easier. Automated real-time decision-making tools, where customers with far lesser risks are segregated from others, are available. In fact, some banks have developed scoring models to facilitate quick sanctioning of loans for consumer durables. The small-scale industry’s relationship with his accountant is more electronic and credit information is also more robust than it was a few years ago. Banks have undertaken this kind of financing for the last three decades, thus they have a huge database available. Further development of such portals will therefore not be very expensive. Integrating them with the existing systems might create some problems, but by and large banks could go ahead without much difficulty. The question is often asked that information is not available or at least not readily. Since banks are known to be cautious and careful, their whole response to the reform process is slow. Perhaps the minimal threat to competitive position makes them indifferent to such changes. Banks appear to ignore the fact that the world is being turned upside down and that they need a new way forward. Finding customers and executing transactions with them will be a function of the creative use of information available, but massively underused. The question(s) to be decided by banks relates to priorities and the targeted segment. No doubt the availability of lowcost deposits is a priority, but with better cash management, it would be futile to expect that corporates would leave large idle balances in their C/D accounts. Banks would need to devise ways for cross selling products (payments, forex, etc.) to corporates, while concentrating a major part of their efforts on sectors which could be considered as ‘favoured’ customers.
Advisory Services through Branches The next question that is often raised relates to the role of the branch network. Apart from catering to the needs of 90 e-finance
customers who do not use the electronic channel, the branches which are ‘high cost’ would have to be turned into an advisory hub both for customers who seek avenues for sound investment, as also for the borrowers. This role is critical in transforming information into a useful input, not only for customizing products, but also for risk management for the borrowers indirectly for itself. The Chartered Institute of Bankers in London suggested that instead of closing down branches, they could be given out for management on a franchise basis.
Payment Services Banks have traditionally engaged themselves in the transfer of funds, and payment services. These cover both the retail and wholesale transfer of funds. Electronic systems are simply alternative systems to deliver traditional banking and related products. Certain steps are identical in both the processes viz. entry, settlement and distribution (crediting the counterparty accounts). Beyond trust and confidence, customers need absolute certainty of: (a) user privacy; (b) transaction legitimacy, security and non-repudiation; (c) system dependability, cost and efficiency; and (d) easy and general acceptance. The system components, process methodology and system structure would determine the category to which risks the payment system is subject to. Banks could be either owners (investors), system developers, issuers, transaction authorizers or processors, recordkeepers or transaction-achievers. In conclusion, it could-be asked whether medium-sized banks/large cooperative banks should enter the field? There is a strong argument in favour of such banks developing a strong delivery channel. There certainly is a regional flavour to the relationship and in spite of competitive pressures, local banks have a distinct advantage over others. They could justify their entry on the basis of defending their share(s), the 91 e-banking
demand by a greater number of their customers and finally the possibility of a more profitable base. However, all these decisions would, in the final analysis, depend upon the ‘culture’ of the bank’s customers. The primary reason for developing e-banking facilities should be a keenly felt need by clients. The change would necessitate a long-term strategy. Mistakes are also bound to be made. Care must be taken to ensure that products match the description given in the brochure.
92 e-finance
seven
marketing
D
espite the wealth of evidence that information and information technology are rapidly transforming almost all phases of economic and business activity, relatively little formal attention has been paid to the effects of transformation on marketing theory and practice. In the absence of a significant body of empirical work in the area by academicians till date, most of what is known about the information environment and marketing comes from rapidly accumulating evidence, documenting corporate experience. The speed with which information is transmitted, the amount of information that can be stored and the ease of creating patterns of organizing information, are giving rise to qualitative changes. The key variable is information itself. The value of information depends on facilitating exchange within the value-added chain, down stream, between the firm and the consumer; and upstream, between the firm and supplier and within the firm itself. Conventional marketing activities are transformed because the World Wide Web presents fundamentally different activities than traditional media. The transformation takes place because traditional methods cannot easily be implemented. Non-verbal communication is deconstructed with the use of ‘emoticons’. Once you include the consumer, the goal of marketing could move from satisfying customer needs to inclusion of an altruistic, cooperative goal of facilitating the development of the market itself. Driven by traditional mass media models ‘hit and visit’ counting implicitly try to achieve mass audience levels, since 93 marketing
traditionally advertisement effectiveness can be tied to consumer response. The one too many models used in theory and practice of marketing has only limited utility. The web in course of time, would change the consumer’s role as receivers of marketing information and would allow them to become active participants. The focus during the early stages of the electronic revolution has been squarely on technology. Discussions are centred around access devices, software vendors, hardware platforms and specific joint ventures or platforms. A critical component that has been overlooked is the marketing of these products. It may be perhaps complacently assumed that the product would sell itself. This unfortunately may turn out to be wishful thinking. It should be mentioned that there is no consensus view concerning the most effective approaches for marketing electronic products and services. Most banks have hardly any experience (except perhaps through ATMs). The nature of the problem must first be identified. The biggest challenge here is to provide the customers the breadth of choice they demand. The customer is now in the driver’s seat—refuse customer a loan today and he/she would find numerous others willing to provide the same. Charge them interest for being overdrawn and they would move to a bank that does not. The brick/click model requires a well-thought out marketing plan, which would satisfy both the Internet customers and those wishing to avail of branch networks. In fact, quite a few customers could be in both the categories. Equally daunting is the task of ensuring a service level to which Internet customers are accustomed. A mismatch between promises and practices or procedures, could have serious consequences. For the last few years, banks and financial institutions have been so preoccupied with their internal issues, that customer service received short shrift. The industry’s propensity to raise fees to boost non-interest income has not helped either. 94 e-finance
Cu
C
sto
us
me
rF
e tom
ee
db
ed r Fe
ac
k
bac
k
st Cu Cu
om
sto
me
er
rF
db Fee
ee
db
ack
ac
k
Customer Service
Marketing for Intangibles Before proceeding further we need to look at some fundamental changes that have occurred, with regard to ‘intangible’ products. In the ‘new economy’ exchange of information is not a by-product, but a central activity of financial markets. Information-driven dynamics of modern financial markets needs to be thoroughly understood. In the agricultural economy, there was a relationship between man and nature or natural products. In the industrial economy the focus shifted to man and machines and machinemade products. The intangible economy is structured around relationships between man, ideas and symbols. We now live in a ‘weightless economy’. How does one comprehend the digital economy? The demand and supply factors must be carefully considered. The demand for intangible artifacts and the supply of intangible assetss such as brands, intellectual property and human capital, could help in understanding the nature of these ‘products’. These intangible products include, amongst other things, different forms of information and communication, audio and visual media entertainment and leisure, as well as finance. 95 marketing
Normally, these are joint products which are nondestructive or nonsubtractive (knowledge, as the ancient seers suggested, increases through imparting). The cost of sharing these is nil. The owner of an artifact cannot prevent/limit its consumption without paying for it. The earlier equation that purchases equal consumption is no longer valid. The number of free riders routinely exceeds that of paying consumers by a factor of three. Further, consumers create their own combination of content. The most important fallout is that conventional pricing and transaction mechanisms largely tend to be inadequate. Economics of scale are determined by consumption and not by production capacity. There is a further problem regarding information. It is impossible to determine if it is worthwhile obtaining a given piece of information without having these details. Earlier, the pricing of intangibles was based on support. The price of a book was determined by printing quality and thickness. Content can now be disassociated and priced separately. In financial services, equity research is bundled into brokerage commission. The range of pricing is becoming broader and more complex. Further, depending on the supplier-consumer relationship, different pricing arrangements can exist. The Internet is really a fascinating laboratory for selling, sharing and giving away. These thus vary from metered charges, fixed assessed charges, or charges for ancillary services. On the supply side, the greatest importance is attached to brand management. Apart from brands, there are intellectual property patents and trademarks that are critical competitive weapons. Curiously enough, these do not appear on balance sheets. Reuters acknowledges that its balance sheet does not include such factors as its neutrality, software, intellectual property, global database and skilled workforce. Products even though successful could be replaced or could coexist with otherwise what may be called the ‘book store effect’. Reuters has 20,000 pages of data on financial services, 96 e-finance
though only four or five pages are used by most. Their value is determined from the total database. In the industrial economy, excess capacity leads to inefficiency and costs. In the intangible economy, it is widespread, functional and inexpensive. It is inexpensive because the key flows are information. Providing additional information flows is different from that of handling physical goods. The longterm trend is for an exponential progression mode and a dramatic fall in unit processing and transmission. The intangible economy undermines traditional frontiers and distinctions. Sectoral boundaries are crumbling—telecommunications, informatics and electronics are now overlapping. Time-honoured distinctions between work/pleasure, home/workplace, intermediate and financial goods are crumbling. Finally there is a momentous change in the relationship between suppliers and consumers. The end of information asymmetry has also come about because the customer now knows as much about the products as the supplier.
Integrating Marketing with Business Planning The traditional marketing approach largely derived its fundamentals from Professor Porter’s (1985) thesis. He argued that for organizations to succeed in a competitive landscape, their strategy must fit the overall organizational objectives. Human resources, IT and finance functions must support the organization’s strategy to reach the desired objective. Any functional strategies that are inconsistent with this would be doomed to failure. The thesis is far more relevant today than it was earlier. Banks and financial institutions must make a beginning by involving the marketing departments right from the corporate plans stage to its final execution. It would be difficult to conceive how they could otherwise meet customer expectations. ‘Marketing’ departments must be closely integrated with the total working of a financial institution. The old rule 97 marketing
of ‘make business responsible for marketing and marketing responsible for business’, is more relevant than ever before (see Figure 7.1). Institutional Objectives
Non-Controllable Environment
Financial Management
Marketing & Management Business Policy
Systems
Personnel
Figure 7.1: Marketing Plan in Corporate Plans
This would necessitate operational efficiency in the organization. A call centre operative who is not trained properly to handle queries, or an email, which is not answered in a given timeframe (maximum 4 hours), could mean the loss of a customer. Financial institutions cannot afford to forget that retaining a customer is far more expensive than acquiring a new one. The ultimate aim has to be customer retention and more cost-effective marketing. Instead of advertising to a broad segment of customers, many of whom would not find scattered sales pitches interesting, Financial institutions have to target specific customers who are deemed most likely to respond. Donald Boudreace, Vice Chairman, Chase Manhattan Corporation, is of the view that customization technology is dynamite that is going to work. Thus, excitement must be tempered with a strong dose of reality. It is true that a ‘market of one’ is now within reach. Financial institutions can engage in electronic dialogues with on-line customers and formulate offers. A quick credit check, alerting customers regarding changes in interest, or proposals to refinance when mortgage rates come down, are some of the ways in which a beginning 98 e-finance
could be made. These should not be left to marketing departments. In a ‘brick and click’ model, a very systematic approach has to be adopted.
Marketing Objectives This is an obvious starting point for marketing policy. A new critical dimension viz. the need for ‘retaining’ customers has already been discussed. Along with this, the other objectives are, of course, as relevant as before. Profitability, Providing high return on investment, Achieving certain market share/growth, Development of an image. To this list has to be added a new dimension—customization technology and information infrastructure backed up by marketing strategy behind it. The challenge lies in delivering a customized message; something distinctive and compelling to offer to individual customers. The ‘message’ and not the medium, would count henceforth. Customization has to be viewed broadly. It has to be viewed as one vital element in an overall customer value proposition and therefore, likely to meet with success. Obviously, such services have to be part of a package that includes other functionalities such as on-line alerts, easy access and personalization of web pages tailored to meet personal interests. These are some of the ways in which customization would be appreciated. Decisions regarding marketing are usually taken on an ad hoc basis, for example, the launch of a credit card at a musical evening organized by a financial institute. It is preferable that such events are part of an overall plan. Although this may be obvious to the marketing personnel of an organization, in the hierarchical structure prevailing in financial institutions, one finds that objective analysis gives 99 marketing
way to personal whims and fancies. In the cocoon of regulated environments, earlier banks did not have to work too hard. The pressure to stand out is now growing and the turf is likely to be constantly under attack. There is a marked shift in emphasis. It is now individualized service that will matter. Such initiatives are helped by enormously expensive data warehousing initiatives. Banks and financial institutions which have taken initiatives in building robust customer information systems, may not find it difficult to build on them with the help of new technology. For example, Amazon.com has successfully tracked the book-buying habits of its customers and then recommends other books that might be of interest to them. Financial institutions and others can and should offer products, which would appeal to a customer. Information collection has to be carried out on a continuous basis. Every click made by a customer either adds information or strengthens what is already available. A second or third visit might warrant a phone call and even a meeting with the customer. Allowing customers to organize their web pages could allow financial institutions to reach out to the customers in a more personalized way. The results will start showing when financial institutions use the medium’s interactivity, immediacy, and automation capabilities to add value to their customer relationships. On-line surveys provide immediate feedback, but might annoy customers if they bear too much resemblance to the despised Internet Spam. The key in most cases is to weave queries into ordinary interactions between customers and the institution, so that feedback can be obtained with a minimum of distraction. Customers do not want to be bothered; the, contact with them thus has to be better leveraged. Additionally, feedback is important when the matter is fresh in the customer’s mind. There is considerable scepticism with which these views are regarded. Nobody thinks that the Amazon.com model could ever serve a banker or broker. Thus, the idea of a bank 100 e-finance
suggesting a financial product by looking at a customer’s profile is scoffed at. Further, it is also pointed out that barely two per cent of web visitors can be converted into buyers— ‘despite the energy spent on simplifying navigation, accelerating the checkout, reducing initial buying risk and enhancing loyalty with incentives, many customers just briefly visit the site and leave. This sort of criticism only strengthens the belief that banks and financial institutions need to redouble their efforts and ensure top quality execution. The distinction between customers’ planning their purchases through basic ‘research’ and their being guided to do so, cannot be glossed over. There is no rush to offer new products as the customer is probably looking for a calculator or aggregated information regarding a product. It is necessary to now critically review the changing customer profile—skilled or otherwise. Consumers can switch their banks at the click of a mouse from the comfort of their homes. They will have access to aggregator websites, which facilitate a comparison of terms and conditions. Further, new players like telecom companies are waiting in the wings with product offerings. It would be tantamount to committing harakiri if they rely on customer inertia, rather than allowing loyalty to stem from product features and excellence of service. Here, it would be necessary to briefly make a detour and find out reasons for the customer resistance to making the change. The adoption of the Internet for on-line banking has been hampered by concerns over security and the speed of access. New users of the Internet have difficulty in navigating their way to the page that they want. Banks are not making any special efforts to attract customers to their Internet facility. There is a certain trade-off between the advantage of each system from the consumer’s point of view and the point of view of the financial institutions. Consumers are concerned with the speed of access, to its reliability, its perceived 101 marketing
security and user interface. These in a sense reflect the control customers have as managed networks and dial-up systems are what customers would prefer: Although suppliers are concerned with these issues, there is the additional problem of how to easily reach a large number of potential customers. The broadcast medium offers a mass marketing reach, while a managed network can afford only a limited reach. The only logical solution would be to use multiple solutions. Given below is a diagrammatic representation of the trade-off. Extensive
TV-based text
Internet
Managed Network
Private Dial-up Limited Low
High Customer Control Figure 7.2: Supplier Reach
Financial institutions will have to watch technological developments very carefully to see how the twin requirements of mass reach and security can be enmeshed. In the first case the low cost of operations is crucial while in the other case customers will have to pay a hefty price for having the luxury of human interface. The hybrid marketing that would have to be resorted to can be demotivating for high service/ high cost channels. The challenges before brick and click institutions emerging from the ‘costing’ of services are going 102 e-finance
to be a major strategic problem. The ‘marginal costs’ of Internet services are far too low to warrant comparison with similar services offered at the branches. Branch closures and staff retrenchment could help in reducing overall costs, but despite these measures, they will not reduce ‘transaction’ costs. The service charges currently levied appear to be arbitrary and at no time does the customer receive satisfactory explanations for the charges from the branch staff. The charges for an ATM transaction could be a few paise, while the same transaction at the branch premises could be several rupees. In one case customers would expect to receive benefits for the low cost of operations, while in the other, customers will have to pay a hefty price for having the luxury of human interface. The hybrid marketing that would have to be resorted to can be demotivating for high service/high cost channels. The need of the hour is for a channel for independent products and solutions. This would allow operations and systems complexity costs to be kept to a minimum. The same products can be offered through different channels, to target different segments. Their need in terms of guidance, advice and support could be substantial. Those who do not need such support ought to be persuaded to move to a low-cost channel. Future products will have to be distributed through multiple channels. It is necessary to stress once again, that lower transaction costs will result into cost savings if transactions can be migrated from higher cost services channels in such a way that it allows for cost reduction. Needless to say, the development setup and marketing costs must be under check. Rhetorical questions like, ‘Do ATMs make money?’, may win points in debates, but do not lend strength to the balance sheet. Since Internet users are not quite used to paying for the services availed, the question of service charges assumes considerable significance. Customers who use mobile phones, however, are in the habit of paying charges for the services required and used, thus there is hope that they will not grudge such charges. 103 marketing
Another important aspect that needs to be briefly discussed is that at the branch level, there is direct contact and interaction between the bank and the customer. But on the internet intermediaries between the financial institution and the customer are inevitable. Bank managements and the branch staff must realize that customers expect different things from electronic delivery of financial services. Customers want information, preferring to shop around to compare rates and obtain cheaper delivery. Banks want information on customer needs to increase their knowledge about relationships and increase their cross-sell ratios. The result could be a loss of proprietary delivery channels. Financial institutions and banks would soon have to develop intranets to shift information. They must see that corporate information stored individually is transferred to a central place. The scope for intermediaries to come between the bank and the customer is indeed a cause of concern. We have already seen how aggregator gains access to websites by using customers’ identification numbers. Some managers are confident that developing suitable alliances could solve the problem. If banks could form alliances with supermarkets and airlines, why could they not do so with others? There is also the possibility that the intermediaries may themselves begin to provide services which financial institutions are offering. One really needs to be on the look out and watch carefully as the new iceberg tips begin to emerge. For banks which are yet to start e-banking facilities, it is suggested that a very high commitment at top management level is necessary before a coherent on-line strategy can emerge. Following the ‘max-e–marketing in the Net Future’ the adoption of the seven max-e-imperatives as given below is suggested: Use what you know to drive what you do. Make everything you do add to what you know. The most significant asset is the behavioural information gained through 104 e-finance
interaction with customers. The line between success and failure would depend on what you know, how you are organized to use it and to add more of what you need to know. Erase the line between product and service. In the Net future, financial institutions need to create tightly linked ‘offerings’ without any separation. In a commoditized market place such offerings would differentiate your selling ideas. Make each relationship as different as each customer. The integration of sales, service and customer care applications from the e-business world with traditional CRM processes can make each customer relationship different. Do as little as possible yourself. Outsourcing of activities would be an important ingredient of success. Interactive processes should become the products—‘The process is the message’ Factor future value into every move. Make the brand experience exceed the brand perception. Direct interaction with the user becomes the prevailing way of doing business. Today’s brand experience will determine tomorrow’s ranking. What you do to, for and with the customer that exceeds the brand perception builds brand equity and the future value of the relationship. Make business responsible for marketing and marketing responsible for business. Marketing departments in financial institutions are all too familiar with the four Ps [product, price, promotion, and place]. No doubt these are basic considerations. To these can be added the other important elements, which are: Addressability—how does one identify such customers? Accountability—how easy is it to reach results? Affordability—how easy is it to interact with the customer? 105 marketing
Accessibility—are your customers ready, willing, and able to receive your message? Going in the reverse order, banks not only need to undertake surveys of customer needs but also undertake a massive programme for customer education. Second, unless decisions are backed by data and findings, it would be futile merely to launch products because others are doing it. Thus, unless your customers genuinely need it, it is not advisable to enter into e-financial services.
Managers Check List Bankers/financial institutions are not yet reconciled to the idea that customers no longer have the same loyalty as was expected in the past. This is because: Customers are more sophisticated and price conscious today. Further, they prefer to make more informed decisions and first compare the available products. Customer groups are changing because of longer life spans, and urbanization. A more consultative relationship is expected. Technically savvy customers now demand: • • • • • • •
Consistent and dependable performance, Professionalism, skills and standards of performance, Timeliness of service, Cordiality and honesty, Polite behaviour, Safety, security and confidentiality of staff, Effective and polite communication.
Thus, customers shifting from one financial institution to another could be due to the failure of any one of these factors listed above. 106 e-finance
Review of Strategies We now turn to marketing strategy evaluation. The results of any marketing plan must be reflected in the balance sheet and the profit and loss account. One need not wait till the information becomes available at the end of a year or in an unaudited form every quarter. Attainment of specific results is necessary to evaluate a given activity. There is a tendency to substitute sincerity of efforts as a substitute for results. However, sincerity cannot be an excuse for not achieving results. Some departments function under a mistaken notion that they are not amenable to objective evaluation or audit. It is essential to dispel such a notion and subject ‘marketing’ function to a critical scrutiny not merely from an audit trail creation and adherence point of view but also from the: Level of resources alloted. In the case of Net marketing, this could be a huge amount, for example, some British banks had to spend sums varying from £ 145 million to £ 200 million; and a further 25 million to create awareness, Tactics and strategies used, and Effectiveness and liaison with other departments. Under such circumstances, it would be futile to be under the notion that these departments deal with ‘intangibles’ that are not amenable to evaluation. At this stage, it is necessary to refer to current research on marketing architecture and its impact on ‘marketing’, briefly discussed earlier. Marketing executives and top managements must now ensure that they are attuned to perceive changes in these vital fields. Concepts such as ‘exchanges’, as pointed out earlier, are assuming altogether new dimensions and do not mean what they used to stand for. In fact, marketing and support departments will have to focus significantly on increasing the productivity of their departments. Companies, which have successfully implemented CRM solutions, do 107 marketing
report significant operational improvements, including revenue increases per person. Technology has to be leveraged to optimize sales.
Grievance Redressal In today’s systems, the redressal of simple complaints like an error in a statement, an unaccountable change in balance, regular installments or standing instructions being missed result in complicated messages, mails and irritating conversations. In times to come, call centres will try and sort it out. Before the customer presses the button, technology will allow agents to retrieve all records instantaneously in screen-pops instead of submitting written requests and waiting for weeks for all the documents to be assembled. Integrated data warehousing, telephony and workflow technology makes this possible in a new, wired world.
Market Turbulence Customers need a human touch whenever markets are turbulent. The multi-channel strategy advocated above would stand the financial institutions in good stead. In conclusion, it can be said that ‘e-CRM’ will enable the banks and financial institutions to go to the heart of their customers’ needs. These could help them nurture loyal relationships, understand which customers and channels offer the greatest revenue potential and cross-sell products more efficiently. Thus, they must ensure that relationships do not get completely depersonalized.
108 e-finance
eight
risk management Analysis of Risk
R
isk is the probability or likelihood of injury, damage, or loss in some specific environment and over some stated period of time. It involves two elements:
Probability, Loss Amount. The last few years have seen a great deal of turmoil in the financial markets, with a number of banks left with impaired portfolios. Thus, banks have virtually no choice but to pay attention to the various risks they are faced with. The risks arise on account of a number of factors. The policies pursued by the government, increased competition, reduced spreads, and a larger number of sophisticated clients. Figure 8.1 describes the various forces that have to be taken into consideration. It is clear that the task of risk management is a highly complex and demanding activity. The fact that risk management analysis could necessitate the review of hundreds of variables bears testimony to this. The risks normally considered could be described as credit, market, operational, legal, liquidity, etc. It is indeed a sad commentary on the banks’ working that the RBI had to issue specific guidelines for the development of systems, organizational set-up and techniques for risk evaluation. The circulars are extremely useful and would warrant a very careful study by the operat109 risk management
Government
Other Financial Institutions Lending Policy Investment Policy Dealing/Trade
Monetary Policy Fiscal Policy Industrial and Trade Policies
110 e-finance
Currencies Companies Products Locations
Domestic or Foreign Macroeconomics General Influence
Credit Risk
Exchange Risk
Other Corporations Business Policy Investment Policy Trade Policy Productivity Marketing Strategy
Internet Risk
Liquidity Risk Settlement Risk Country Risk Other Nonfinancial Risks
Figure 8.1: Analysis of Risk
ing managers. For the benefit of the readers a brief review in Appendix 8.1 of the risks present and the way technology can assist in the process are given. This chapter focuses on the additional risks faced by banks/ financial institutions using on-line channels. Banks, brokers, and financial institutions need to additionally deal with risks specific to the Internet. Traditional risk management programmes must be adapted to address new aspects of an electronic environment, including transaction speed, geographic reach, and user anonymity. One of the major problems is to integrate the newer techniques with legacy systems. It must also be stressed that risk management is an ongoing process of identifying, measuring, monitoring, and managing all significant operational, legal, and reputation risks. Following the Federal Deposit Insurance Corporation (FDIC) guidelines, we divide these areas into the following broad areas: General areas: planning, policies, and procedures. Distribution of duties, accountability and delegation of authorities, regulatory compliance and audits, etc. Transaction Processing: user authentication, information integrity, and non-repudiation of transactions and data confidentiality. Systems administration: resource requirements, system security, contingency planning, outsourcing policies, etc. The results of this process need to be integrated into: Strategic planning and feasibility analysis; Management supervision and control; Operating policies and procedures; System audit, administration, testing; Physical and transaction system security; Incident response and preparedness plans. These techniques are also applicable to traditional risk management methods. The risks peculiar to the electronic 111 risk management
systems must now be considered, because these areas are the ones which would be areas of concern for the regulators. Financial institutions should henceforth be evaluated in terms of their ‘risk management systems’. It is, no doubt, in the institution’s own interest to have systems which would safeguard its own and the interests of its customers.
Electronic System Risks Conceptually, these risks can be broadly classified into two groups. There are risks which could lead to disabling the system from functioning properly. The other group includes risks relating to data tampering and misuse. In the first category hacking can be included, which is done either to show off one’s technical abilities ‘ethical’ hackers in the age group of 15–18) or with malicious intent (carried out by ‘black’ hackers). The other area pertains to fraudulent data misuse in order to have access to sensitive information for some gain. It is worth noting that in 70 per cent of the cases it is the staff which is found to have been responsible for the mischief. Chapter eleven discusses network security in greater detail. Authors like Ankit Fadia or Barua and Dayal have explored these areas thoroughly, and both technical and non-technical readers would find these of great use. It must be pointed out, however, that there are bound to be technological advances and today’s methods could be quite outmoded tomorrow. Thieves try to remain two steps ahead of the authorities. A review of data protection techniques is discussed below. The material has largely been drawn from FDIC circulars and those issued by other regulatory bodies.
Preventive Measures Preventive measures include sound security policies, welldesigned system architecture and properly configured firewalls. Additionally, two additional measures viz. assessment tools and penetration analysis are discussed. Vulnerability assessment tools generally involve running scans on a system to proactively find out vulnerabilities, flaws 112 e-finance
and bugs in software and hardware. These tools can also detect holes allowing unauthorized access to a network, or insiders to misuse the system. Penetration analysis involves an independent party (internal or external) testing an institution’s information system security to identify (and possibly exploit) vulnerabilities in the system and surrounding processes. Using vulnerability assessment and performing regular penetration analyses will assist an institution in determining what security weaknesses exist in its information systems. Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures may be enhanced by the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the banker, service provider to potential external break-ins or internal misuse of the system(s) being monitored. Another key area involves preparing a response programme to handle suspected intrusions and system misuse once they are detected. Institutions should have an effective incident response programme outline in a security policy that prioritizes incidents, discusses appropriate responses to incidents and establishes reporting requirements. Before implementing some or all of these measures, an institution should perform an information security risk assessment. Depending on the risk assessment, certain risk assessment tools and practices discussed in this section may be appropriate. However, use of these measures should not result in decreased emphasis on information security or the need for human expertize.
Risk Assessment A thorough and proactive risk assessment is the first step in establishing a sound security programme. This is the ongoing process of evaluating threats and vulnerabilities and establishing an appropriate risk management programme to mitigate potential monetary losses and harm to an institution’s reputation. Threats have the potential to harm an institution, while vulnerabilities are weaknesses that can be exploited. 113 risk management
The extent of the information security programme should be commensurate with the degree of risk associated with the institution’s systems, networks, and information assets. For example, compared to an information-only website, institutions offering transactional Internet banking activities are exposed to greater risks. Further, real-time funds transfers generally pose greater risks than delayed or batch-processed transactions because the items are processed immediately. The extent to which an institution contracts with third-party vendors will also affect the nature of the risk assessment programme.
Performing the Risk Assessment and Determining Vulnerabilities Performing a sound risk assessment is critical to establishing an effective information security programme. The risk assessment provides a framework for establishing policy guidelines and identifying the risk assessment tools and practices that may be appropriate for an institution. Institutions must have a written information security policy, sound security policy guidelines, and well-designed system architecture, as well as provide for physical security, employee education and testing, as part of an effective programme. When institutions contract with third-party providers for information system services, they should have a sound oversight programme. At a minimum, the security-related clauses of a written contract should define the responsibilities of both parties with respect to data confidentiality, system security, and notification procedures in the event of data or system compromise. The institution needs to conduct a sufficient analysis of the provider’s security programme, including how the provider uses available risk assessment tools and practices. Institutions also should obtain copies of independent penetration tests run against the provider’s system. While assessing information security products, management should be aware that many products offer a combination 114 e-finance
of risk assessment features and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (for example firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used, is an integral part of the products’ effctiveness. In relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include identifying mission-critical information systems and determining the effectiveness of current information security programmes. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via a modem. Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process. Assessing the importance and sensitivity of information and the likelihood of external break-ins (for example, by hackers) and insider misuse of information, is equally important. For example, if a large depositor list were made public, that disclosure could expose the bank to reputation risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (like salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information and review the appropriateness of access controls and other security policy settings. Assessing the risks posed by electronic connections with business partners has to be an integral part of such an exercise. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank’s system. Another example involves vendors that may be allowed to access the bank’s system without proper security safeguards, such as firewalls. This could result in open access to critical information that the vendor may have ‘no need to know’. Determining legal implications and contingent liability 115 risk management
concerns associated with any of the above is also necessary.For example, if hackers successfully access a bank’s system and use it subsequently to attack others, the bank may be liable for damages incurred by the party that is attacked.
Potential Threats Serious hackers, interested computer novices, dishonest vendors or competitors, disgruntled current or former employees, organized crime, or even agents of espionage, pose a potential threat to an institution’s computer security. The Internet provides a wealth of information to banks and hackers alike on known security flaws in hardware and software. Using almost any search engine, average Internet users can quickly find information describing how to break into various systems by exploiting known security flaws and software bugs. Hackers may also breach security by misusing vulnerability assessment tools to probe network systems, then exploiting any identified weaknesses to gain unauthorized access to a system. Internal misuse of information systems remains an ever-present security threat. Many breakins or insider misuses of information occur due to poor security programmes. Hackers often exploit well-known weaknesses and security defects in operating systems that have not been appropriately addressed by the institution. Inadequate maintenance and improper system design may also allow hackers to exploit a security system. New security risks arise from evolving attack methods or newly detected holes and bugs in existing software and hardware. Also, new risks may be introduced as systems are altered or upgraded, or through the improper set-up of available security-related tools. An institution needs to stay abreast of new security threats and vulnerabilities. It is equally important to keep abreast of the latest security patches and version upgrades that are available to fix security flaws and bugs. Information security and relevant vendor websites contain much of this information. Systems can be vulnerable to a variety of threats, 116 e-finance
including the misuse or theft of passwords. Hackers may use password cracking programmes to decode poorly selected passwords. The passwords may then be used to access other parts of the system. By monitoring network traffic, unauthorized users can easily steal unencrypted passwords. The theft of passwords is more difficult if they are encrypted. Employees or hackers may also attempt to compromise system administrator access (root access), tamper with critical files, read confidential email, or initiate unauthorized emails or transactions. Hackers may also use ‘social engineering’, a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system, such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even create new computer accounts. Another threat involves the practice of ‘wardialing’, in which hackers use a programme that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in a ‘SYN Flood’ attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Thus, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out. Internet Protocol (IP) spoofing allows an intruder via the Internet to effectively impersonate a local system’s IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connection’s IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password. Trojan horses are programmes that contain additional (hidden) functions that usually allow malicious or unintended 117 risk management
activities. A Trojan horse programme generally performs unintended functions that may include replacing programmes, or collecting, falsifying, or destroying data. Trojan horses can be attached to emails and may create a ‘back door’ that allows unrestricted access to a system. The programmes may automatically exclude logging and other information that would allow the intruder to be traced. Viruses are computer programmes that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programmes. The virus programme may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programmes may be contained in an email attachment and become active when the attachment is opened. It is important for financial institutions to develop and implement appropriate information programmes. Whether systems are maintained in-house or by third-party vendors, appropriate security controls and risk management techniques must be employed. A security programme includes effective security policies and system architecture, which may be supported by the risk assessment tools and practices discussed earlier. Information security threats and vulnerabilities, as well as their countermeasures, will continue to evolve. As such, institutions should have a proactive risk assessment process that identifies emerging threats and vulnerabilities to information systems. A sound information security policy identifies prevention, detection, and response measures. Preventive measures may include regularly using vulnerability assessment tools and conducting periodic penetration analyses. Intrusion detection tools can be effective in detecting potential intrusions or system misuse. Institutions should also develop a response programme to effectively handle any information security breaches that may occur. 118 e-finance
appendix 8
technology for risk management
W
hile one constantly hears of computer crimes, security breaches and frauds perpetrated with the help of technology, this somewhat lopsided focus detracts from the positive use of technology for assisting the management in the extremely complex task of ‘risk management.’ Since a complete and accurate picture of the risk management technology would perhaps warrant a separate volume, this section is restricted to reviewing the technology that deals with identification and quantification of the risks that are normally associated with banking business. It would be necessary to add that today’s banks are part commercial banks (deposit takers, lenders) partly investment banks and partly market makers and traders. They might even offer portfolio management services. It would be readily appreciated that solutions for one group of activities may not exactly fit the other, though the risks may be similar. Risks can emerge from different sources within a banking institution. Given below are details regarding factors causing such risks. A prudent course for any financial institution would be to have some standards which are better than the minimum prescribed by the regulators/authorities: Exceeding minimum capital requirements, Maintaining/enhancing credit ratings, Maximizing shareholder value, Improving risk-adjusted returns on: • equity, 119 risk management
Environmentrelated
120 e-finance
Taxation Political Systemic Monetary Policy Macro economic influences
Businessrelated Capital Liquidity Technology Investment Policies
Organizationrelated
Operational
Trading Investments Underwriting Dealing
Systems Accounting Funding Leverage Exposures
Productrelated Modelling Hedging Cross market Concentration
Investmentrelated Market Price Volatility Yield curve Options
• capital, and • assets. Before we examine the part technology could play in the process; it would be useful to examine the relationship between key business risks and activities undertaken. Poor loan quality High funding costs Asset/liability mismatches Poor controls Frauds
Credit risk Interest risk Yield curve/cash-flow risks Operations risks Reputation risks
The term ‘technology’ refers to two distinct aspects: (a) The physical components of technology that are required for a risk management system; and (b) the software that drives the applications. While selecting the appropriate technology, it would also be useful to: Establish goals for the risk management system, Identify each operation’s needs, Survey available technology, Never trust a demo model, Take everything with a large pinch of salt. It would also be relevant to mention that a failure in one area (rising percentage of non-performing assets could lead to other risks also. It would be useful to remember that a hexagon gives a better representation of the way risks are interconnected.
Internet and other risks
Credit risks
Liquidity risks
Operational risks
Market risks
121 risk management
The software applications primarily dealt with here can be broadly described as:
Record-keeping Tools It is critical to have a record of the transactions that are effected by the bank and the resulting positions. Today’s systems are far more flexible than in the past and are able to capture even highly structured instruments and transactions that are not standardized. They can easily be linked to other systems, have more intuitive user interfaces and are accomplished with unbelievable speed. No doubt the greater emphasis is on analytical tools. However, the aspects regarding collecting and aggregating the transaction information and reporting them in a concise and timely manner must not be underestimated. A complete and firm-wide accurate assessment is possible if this task can be accomplished in a timely manner with speed and accuracy.
Analytical Tools It has been found that a number of models were built essentially for ‘investment risk’ management. We have tools for duration, convexity, sensitivity measures and sensitivity and horizon analysis. Basically these models answer questions such as, ‘If five things change what performance can we expect? What would happen to profits? What default rates can we expect?’ It is true that we now have the tools and technology to get most of the answers on a realtime basis. But practitioners must be warned not to accept the conclusions on blind faith. The complexity inherent to this science of finance impedes comprehensive understanding across the organization level. As Demosthenes pointed out: ‘There is one safeguard known generally to the wise, which is an advantage and security to all. What is it? DISTRUST.’ Question everything and learn how to learn. One could begin with questions regarding the assumptions. Test the assumptions for reasonableness. Understand the task to be undertaken and examine how the model achieves it. What is of concern is the danger that ‘models’ are accepted with the ‘halo’ effect associated with the creators, for example, Morgan Stanley and Credit Suisse. The names of other users are an equally significant factor in persuading the others to choose them. Risk management technology in its present form does not provide the 122 e-finance
protection that is desirable. The technology used to create new and exotic structures is advancing at a rapid rate due to the fact that creators and sellers have the resources to build the technology needed. Unfortunately, the users and owners do not match up to these requirements. At the same time, the technology failures which occur due to various reasons cannot be ignored. Thus it must be asserted here, that henceforth a major responsibility of boards of organizations and top management teams would be for designing a very prudent and carefree risk management approach. Discussions regarding technology would have to be a part of that wider goal. The regulators would evaluate the banks on the efficacy of their risk management programmes and should naturally be accorded a high priority in the management agenda. Given below is a brief list of the role of top management teams, which must ensure: Active senior management support and participation, Appreciation of IT’s criticality, That a corporate culture of teamwork prevails, That IT staff understands business, That IT staff is not reduced to second rate citizenship status, Adequate care in planning, Post-installation review and audit. Finally, it is important to ensure that there is no undue reliance on these tools. A blind acceptance and negation of ‘grey hair’ (experience-based gut feeling) could have serious consequences.
123 risk management
nine
insurance and e-banking
T
he earlier chapter discussed and examined some of the general tools for assessment and management of risks on the Internet. This chapter specifically considers insurance and banking industries’ attempts at controlling and managing these risks. In particular, two features are highlighted. These industry groups are usually reluctant to disclose any intrusions into their systems. This stems from fears about further attacks and about possible adverse publicity, which could lead to panic reactions amongst clients. The South-east Asian crisis and the Barings Bank debacle were perhaps the immediate causes for banks and supervisors to work together to evolve sound policies for this vital area of management for the financial services industry. It is indeed heartening that the problem is being analyzed globally and that most countries are not only examining these issues, but are also concerned with developing appropriate strategies suited to their conditions. A particularly encouraging feature is that whenever there are differences of views amongst central regulators, these are aired and even made available on their websites for comments. Further, the organizations which have framed these rules, do not claim that these are ‘model’ rules and that they need to be copied in toto.
BIS Recommendations We now begin with a summary of recommendations made by the BIS. These are part of the total set of recommendations 124 e-finance
for risk management and need to be viewed in that context. A bank or financial institute developing the e-trade channel must be equally careful about the total apparatus it has for the risk management function. E-banking must be a part of that scheme. Further, institutions like the Federal Deposit Insurance Corporation in the US also provide specific guidelines which organizations could take advantage of. The recommendations are summarized below. The BIS is quite right in asserting that fulfilling detailed risk management requirements must not be counter productive. Each bank’s risk profile is different and requires a tailored approach for risk mitigation, appropriate for the scale of ebanking operations, the materiality of risks present and the institute’s willingness and ability to manage the risks. However, this does imply that the one-size fits all approach to ebanking risk management may not be quite universally suitable. Broadly, the risk management efforts fall into three groups:
Management Oversight Effective management oversight of the risks associated with ebanking needs to be in place and risk management should be integrated with overall risk management. There must be explicit, informed and documented strategic decisions, covering specific accountabilities, policies and controls to address risks. Key aspects of the security control process must be covered.
Due Diligence This includes comprehensive due diligence and management oversight processes for outsourcing relations and third party dependencies.
Security Controls Authentication of e-banking customers, Non–repudiation and accountability for e-banking transactions, 125 insurance and e-banking
Appropriate measures for segregation of duties, Data integrity of e-banking transactions, records and information, Establishment of clear audit trails for e-banking transactions, Confidentiality of key banking transactions, Legal and reputational risk management principles, Appropriate disclosures for e-banking services, Privacy of customer information, Capacity and business continuity, Contingency planning to ensure availability of e-banking services, Indent response planning. Against the backdrop of information given above, the committee has developed certain key risk management principles. They are given below for easy reference. Management of outsourcing and third party dependencies, Segregation of duties, Proper authorization measures and controls, Clear audit trails, Authentication of all entities; counterparts and data, Non-repudiation of e-banking transactions, Comprehensive security, Integrity of banking transactions, records and information, Appropriate disclosure for e-banking services, Confidentiality and privacy of customer information, Business continuity and contingency planning, Incident response planning, Role of supervisors.
The Insurance Sector Some of the principles enunciated by the International Association of Insurance Supervisors are discussed in this section. Companies must be more conscious of strategic risks associated with an Internet strategy. These risks are critical and would 126 e-finance
be more so when new products designed for sale on the Internet reach the market. The new underwriting opportunities that are becoming available must be kept in mind. A critical aspect to be examined relates to the risks posed by e-commerce that are new or different in scale or impact from traditional business conducted through other distribution channels. Reputations are at stake as mistakes can multiply and spread rapidly.
Strategic Risks These risks arise when a company engaging in new business strategy, does not analyze the implications that decisions on e-commerce will have on other parts of the organization or the company as a whole. Without such a plan, the risk of mistakes occurring increases and the chances of the strategy succeeding decrease. The impact on the organization’s solvency should be the overarching consideration in the analysis. In addition, the company should keep in mind the following factors: The global nature and rapid development and growth of e-commerce will create pressure on its planning and implementation of on-line operations, in particular, product design and technological applications. The internet is an efficient way of doing business, but it is far from cost free. System costs and maintaining customer awareness of the website may involve significant advertising costs. Brand loyalty may evaporate in the face of competition. Customers could switch their business from one company to the other. There is a danger of some customers being neglected. There is an equal danger that research, product innovation, data security and even risk management may be neglected. The speed of processing may complicate management of information. The dangers of adverse selection could increase and there could be inadequate disclosure by the customers. 127 insurance and e-banking
It is the responsibility of the Board to choose strategies that reflect the company’s desired risk profile, functional capabilities and solvency. It must decide how its Internet strategy will influence the company’s philosophy, the way it conducts business and its financial situation. Without a well thought out strategy, the decision to engage in e-commerce may result in an unwarranted increase in risks at the operational level and an unproductive drain on resources.
Operational Risks These relate to risks that arise as a result of a failure or default in the IT infrastructure. There could even be deficiencies in the structure available. It may not: Have the capacity to handle increased traffic and process transaction or volume; Be scalable; Be accessible all the time due to a lack of fault tolerant technology; Be secure from internal and external disruption; Be accessible, compatible, or interoperable in every market; Have appropriate policies and controls in place for thirdparty vendors. Adequate scrutiny of the service provider’s operational viability, financial liquidity and project management skills is required.
Transaction Risks Transaction risks arise on account of an unauthorized alteration or modification to texts, information or data transmitted over the computer network between an insurer and the client or vice versa. In e-commerce, these risks arise mainly on account of technology. This risk also includes information which is hosted on the server or website of a ‘partner’ third party. 128 e-finance
Data Security Risks These risks arise due to losses, unintentional changes or leaks of information or data in computer systems. Incompatibility of the data systems or part of the data system, information leaks or information loss may be the cause for such risks. The external links could lead to data breaks. A customer’s personal data may be illegally accessed. These could complicate and in some cases, negate the company’s ability to authenticate information and data. Information concerning an insurance contract may be changed without authorization after the system has been broken into. Thus, a company’s reputation may suffer.
Connectivity Risks Failure in one part of the system may impact all or other parts of the system. If any part of the Internet’s operational system is damaged as a result of intentional or negligent actions, the company may fail to provide service to clients.
Conduct of Business Risks The laws and regulations are developed with the view that business will be conducted on a person to person basis, with proper documentation. E-commerce poses new issues with attendant risks, such as: Authenticating the identity of a customer; Verifying and maintaining the security of electronic documents and signatures; Notification of contract-related information to safeguard the interests of the client and the company; Format and presentations wherein disclosure and disclaimer requirements are met; Policyholders to be provided with a proof acceptable to regulators or other third parties; 129 insurance and e-banking
Acceptance of electronic payments in lieu of cheques, drafts or cash; and Meeting record retention requirements. Supervisors apprehend that a host of legal issues, including the status of the insurer, the applicable laws, location of the company and therefore, by whom and how it would be supervised, would sooner or later arise. They are also afraid that the clients may not be aware of all the risks involved and when and if a problem arises, it may be too late for an appropriate solution to be found.
Alternate Systems of Trading The SEBI has specifically indicated the use of appropriate technology for risk management. Given below is a summary of their major conclusions: Exchanges must ensure that brokers have a system-based control on the trading limits of clients, and their exposures. There must be predefined limits on the exposure and turnover of each client; The systems should be such that client risks can be immediately assessed and that the client can be informed within a reasonable time frame; The reports on margin requirements, payment and delivery, should be made known to the client through the system; Contract notes must be issued within 24 hrs, or as per existing rules; No cross trades to be undertaken; The other rules applicable to brokers would, no doubt, continue to operate; Authenticity of documents through digital signature, electronic Certification, etc., must be made; The security measures as shown below are mandatory for all Internet-based trading systems: 130 e-finance
User ID, first-level passwords, automatic expiry of passwords and reinitializing access on entering fresh passwords; All transaction logs with proper audit trails and facilities to be maintained; Suitable firewalls between trading set-up connected to the exchange system and the Internet trading system; Secured socket-level security for server access through the Internet. The SEBI has gone a step further and recommended the following: (a) Microprocessor-based smart cards; (b) dynamic passwords; (c) 64bit/128 bit encryption; and finally (d) second level passwords. Standards for interface between the brokers and their clients have also been prescribed. The rules also give detailed instructions to brokers to use the same logic or priorities used by exchanges to treat client orders. Brokers are also supposed to maintain all activities/alert logs with audit trail facility. A unique numbering system, which is internally generated is also mandatory. There is a considerable overlap of the risk management suggestions for various sectors. Many suggestions by insurance regulators therefore would be equally applicable to banking/broking. Many of the requirements can be taken care of by technology. This book refrains from going into these in greater detail as management would have to take these decisions themselves depending on their specific requirements. Further, the developments are so fast that the suggestions could be outmoded before they are made. While some of the aspects on security are covered in chapter eight, the details on computer crimes in the next chapter drive home the message for greater attention to risk management.
131 insurance and e-banking
ten
cyber crimes
I
f cyberspace is a type of community, a giant neighbourhood made up of networked computer users around the world, then it seems natural that many elements of a traditional society can be found taking shape as bits and bytes. With electronic commerce come electronic merchants, plugged in educators and doctors treating patients on line, and also cyber criminals.
Types of Crimes As an unregulated medley of corporations, individuals, governments and educational institutions that have agreed to use a standard set of communication protocols, the Internet is wide open to exploitation. There are no ‘regulators’ and this lack of law enforcement leaves net users to regulate each other according to the reigning norms of the moment. Community standards in cyberspace are vastly different from the standards found at the corner of a main street. Cyberspace is a virtual tourist spot where faceless, nameless criminals can operate. The critical issues we face can be divided into two broad categories: (a) denial of service attacks; and (b) where the computer is the target of attack. The intent therefore, is to cause damage to the system (hacking, cracking, malicious code viruses) or (c) computer network attacks, which include: Computer network break-ins, Industrial espionage, 132 e-finance
Software piracy, E-mail bombing, Password sniffers, Spoofing. Details about the various techniques used for hacking or for spreading viruses are not provided here.
Computer Crimes Computer crimes account for losses of more than $ 1 billion annually. What then are computer crimes and why do they occur? What are the methods used? More than 50 per cent of over a 100 million computers are networked. One can imagine the magnitude of the challenges of preventing infiltration into computer systems and those to computer security and intellectual property. Computer criminals comprise co-workers, insiders, disgruntled employees, competitors, crackers and hackers. Their attacks range from unauthorized access by employees to break-ins by intruders. Before proceeding further, it might be useful to give a brief description of these terms: Hackers Crackers Stealers
use illegal methods to access a computer programme to extract information and benefit from it beg, borrow, steal passwords, etc.
Around 242 of Fortune 500 Companies reported that the average loss per incident was US $ 4,50,000. One in four US companies is a victim of computer crime, with losses ranging from $ 1 billion to $ 15 billion. Apart from hacking/cracking, some of these criminals have even stolen the hardware itself. Computer crimes include sabotage, revenge, vandalism, theft, eavesdropping, ‘data diddling’, credit card frauds, counterfeiting, bank embezzlement and the theft of secret documents. Introducing ‘worms’ or viruses are other forms of computer crimes. Information attacks on the military, 133 cyber crimes
central banks, electricity companies and software, are also of serious concern.
Why do they Happen? The perceived anonymity and the huge financial gains appear to be the main reasons why these crimes occur. Other reasons are: Research and development expenses for a competitor who steals the information, is nil and would allow the competitor to overtake in technology. Network administrators’ laxity. The failure to monitor security programmes allows ‘hackers’ access and crimes thus often go undetected. Disgruntled employees or those whose services are terminated, could create a security breach. Social engineering is used to build up a friendship with employees and gain access to information. Cryptographic keys can be configured by timing the computers. Firewalls and system probing. ‘Cracker’ programmes to identify passwords are used to try every word in the dictionary as a password. Network files used to share files between systems are exploited through well-known vulnerabilities. ‘Sniffing’ allows all traffic on a network to be sniffed to collect authorized passwords. A new method of virus infection are word documents that are embedded with viruses sent via email. There is no way to see that a document is ‘infected’ until it is opened. Unfortunately, estimated or actual losses represent only a very small portion of the losses incurred because most of the time these are not even known. The BIS in its report on ‘Risks management for electronic banking’, presents a list of various risks associated with 134 e-finance
banking activities. Given in Table 10.1 below is a list of the criminal activities compiled from this report. Table 10.1: Cyber Crimes and their Effect Criminal Act Unauthorized system access
Employee frauds
Counterfeiting of electronic money
Possible Manifestation
Potential Effect
Hackers entry to internal systems, confidential information intercepted, corruption of data, systems crash. Alteration of data in order to draw funds from general bank accounts, theft of smart cards. Criminals alter or duplicate electronic money to obtain goods or funds.
Loss of data, theft of information, costs of repairing. Perceived insecurity of bank systems. Reimbursing customer losses, reconstruction of accurate data, legal or regulatory sanctions. Liability for falsified money. Replacing costs associated with a compromised system. Possible loss of funds or legal expenses to prove that transaction was authorized. Customers may discontinue use of the product or service, affected customers may leave and others follow. Legal sanctions for non-compliance.
Repudiation of a transaction
Transaction completed but customer denies that transaction took place. Significant breach Introduction of virus. of security Illegal entry by a hacker.
Money laundering Misuse by criminals to engage in money laundering.
The history computers is developments developments
of social control over the unauthorized use of spread just over 30 years and follows the in computer technology. There are four major that have been identified: 135 cyber crimes
Batch Computing of the 1960s; Distributed computing during the 1970s; Network personal computing; and Global information sharing and use. A peculiar feature of these crimes is that there is a hidden criminality, a small probability of detection and a high reluctance to report them.
Problems of Enforcement India is, in fact, one of the few countries that have codified these rules. However, they are of such recent origin that hardly any case law is available, although two very significant steps have been taken. The first is the passing of the Information Technology Act 2000. It lays down specific penalties for specific criminal acts. Section 45 of the Act prescribes penalty for damage to computers, the computer system, or the computer network of Rs 10 million. Section 65 levies a penalty of three years imprisonment/and fines up to Rs 200,000 or both, for tampering with the system. Sections 67–74 prescribe penalties for various crimes ranging from publishing obscene information to false digital signature certification. The difficulty of covering these crimes under various sections of the penal code, or fitting them into similar types of criminal acts is obviated. Further specific sections have been modified suitably so that digital evidence is admissible. The chapter on Cyber Laws contains these details to facilitate easy reference. The first difficulty is in proving these crimes. The second difficulty arises due to a certain amount of ignorance in trial courts about the technology involved and its implications for submission of evidence. The UNICTRAL (United Nations Commission on International Trade Law Model Law) on electronic commerce has the following to say on admissibility and evidential weight of data messages: Information in the form of a data message shall be given due evidential weight. In assessing the evidential weight of a data 136 e-finance
message, regard shall be had to the reliability of the manner in which the data message has been generated, stored or communicated, the integrity in which it was maintained, to the manner in which its originator was identified and to any other relevant facts.
The bankers’ Books Evidence Act, 1891, was amended in 2002 for acceptance of digital evidence for which the following requirements have to be complied with. A printout of the entry or a copy of a the printout shall be accompanied by the following: A certificate to the effect that it is a printout of such entry. A certificate by a person in-charge of the computer system containing a brief description of the computer system and the particulars of: • The safeguards adopted by the system to ensure that data is entered or an authorized person performs any other operation. • Safeguards adopted to prevent and detect unauthorized change of data. • Safeguards available to retrieve data that is lost due to systemic failure or any other reason. • The manner in which data is transferred from the system to removable media like floppies, discs or tapes or other electro-magnetic data storage devices. • Mode of verification in order to ensure that data has been accurately transferred to such removable media. • Mode of identification of data storage devices. • Arrangement and custody of such storage devices. It would be extremely difficult to obtain such certificates and to identity the officers responsible for cross examinations, etc. The following example illustrate this point: An American bank obtained unauthorized access to the confidential information contained in the website of a bank in the UK. The UK bank confirmed the details and telephoned the CEO of the US 137 cyber crimes
bank. The CEO laughed and is reported to have replied as under: ‘We are doing you guys a favour by giving people access to your website’. When the bank asked its lawyers to review the case, some startling conclusions emerged: (a) Since the UK bank was not complying with UK financial services and personal data protection laws, it might be the subject of compliance orders and fines; (b) alerting the national authority against an overseas hacker was not of much use; (c) The burden of proof in a criminal case in the US requires that a jury be persuaded beyond reasonable doubt that the defendant has committed an offence and securing the proof for such an act would be a formidable task; and (d) the bank had to assess and gather evidence as to who owned the Intellectual Property Rights (IPRs) in the website. This would include the authors of its initial design because they would own it unless the agreement with the bank stated that the bank was to be the owner. If they were acting as employees of the bank, the bank would own it. If however, they were acting as independent contractors, then each author would own whatever he or she had created. A number of similar cases in the US can be referred to, where cybercrimes and the subsequent treatment of these ‘criminals’ are not regarded very seriously. The situation is so complicated that institutions cannot be blamed for leaving matters untouched. The solution would be for laws to be tailored to suit the requirements that are now emerging. However, it is yet to be seen whether the law will ever catch up with the rapid changes in technology. Commercial law is notoriously slow to catch up with the business malpractices.
138 e-finance
eleven
network security Losses Due to Breaches
S
ecurity companies all over the world are locked in a race with malicious hackers to see who can react fastest to the news of a new vulnerability. Increasingly, even these vandals are becoming more sophisticated. It is worth noting that net attacks are growing at the rate of 64 per cent per year. The year 2002 saw an enormous increase in such attacks. Every week, companies were attacked almost 32 times compared to 25 times per week in 2001. As if this was not enough, security companies hear of about 400–500 new viruses every month and 250 vulnerabilities of computer programmes. In fact, the losses suffered by these organizations are huge. The Computer Security Institute and the US Federal Bureau of Investigation (FBI) computer crime and security survey shows that financial institutions are being continuously targeted and are not experiencing the scattergun approach. The survey also shows that more than 90 per cent of websites were attacked, 18 per cent suffered unauthorized access/abuse of their systems and 60 per cent had their sites vandalized. A further 80 per cent suffered transaction thefts. The financial losses could well be in excess of $ 265 million. Of those surveyed, 16 per cent did not even know that they had a problem. Many employees who are familiar with the latest technologies can easily bypass office systems, effectively opening the back doors to the organization. 139 network security
A list of the most frequently attacked companies has the power sector, energy and financial institutions as its major constituents. There is, unfortunately, a tendency on the part of financial institutions to push such attacks or break-ins under the carpet and to prevent any adverse publicity. While the need for not causing undue panic is appreciated, customers remain vaguely uneasy about such matters. At the cost of repetition, it is maintained that customer anxiety on this point is a major stumbling block in the spread of e-banking. Banks and financial institutions must indicate exactly how they propose tackling these problems and bringing them to the notice of their clients.
Types of Security Failures The Internet economy is built on information. In this economy, time is money and information is valuable. The value of efinance is defined, in part, by technology’s ability to move information and to affect markets quickly. The underlying assumption is that moving information is reliable. Reliability is based, in part, on constructing a system and a process that keeps the percentage of repudiated transactions to a minimum. In order to construct such a system, transactions must be appropriately authenticated, verified and authorized. A precursor to this is access controls. Access controls enable a dumb operating system to know whether an individual attempting to enter the system has been granted access. Authentication is the means used to assure the system that the party attempting to engage in an activity is, in fact, the party so designated. Verification is the means used to confirm that the party claiming a certain identity is the right party. Finally, authorization is the means used to determine that the party engaging in a transaction has the requisite authority to access that portion of the system or to engage in that type of activity. The value of information is based on its reliability and its integrity—whether the party was authorized to access or engage, whether the identity was authenticated, whether 140 e-finance
there is a risk of nonrepudiation, whether there are any process restrictions for the particular transaction (specifically, whether the rules engine has any access controls) and whether there are any relationship constraints (specifically, whether privacy or confidentiality is protected). The process restriction is an internal risk and the relationship constraint is a potential legal liability. However, the value of any information is directly related to the extent to which the information meets these criteria versus the extent to which it needs to meet this criterion. So on a scale of 1–10, if the information should be a 10 but the system can only ‘assure’ a rating of five, it has lost at least 50 per cent of its value. Thus, security is a valueadded proposition and is a major business consideration. Customer interaction with financial institutions is migrating from in person, paper transactions to remote access and transaction initiation. This migration increases the risks of doing business with unauthorized or incorrectly identified parties that could result in financial loss or reputational damage to the institution. Secure electronic service delivery is a key to providing consumers with improved, more flexible and convenient access to financial services, and to enhancing the efficiency of banking operations. One of the challenges in implementing secure electronic service delivery is building the appropriate nonrepudiation mechanisms into the banking platform. Reliable customer authentication is imperative for financial institutions engaging in any form of electronic banking or commerce. The risks of doing business with unauthorized or incorrectly identified individuals in an e-banking environment could result in financial loss and reputational damage through fraud, corruption of data, unenforceable agreements and the disclosure of confidential information. In a world where people increasingly do business with virtual parties they have never met and will likely never meet, authentication becomes as integral to the transaction as the exchange of goods and tender. Yet, authentication is the Achilles’ heel of electronic finance. In fact, most computer intrusions are perpetuated as a result of insufficient access 141 network security
controls and weak authentication mechanisms. For example, in 1995, Citibank found itself in an ironic position: its technology was not as powerful as that of a group of hackers. Citibank’s main weakness was the use of ‘fixed passwords’ to guard its computerized cash management system. There is widespread concern, especially among those in the law enforcement community, that the financial sector is not keeping up with the security side of technological change. For example, overall industry-wide use of passwords is outdated. In fact, a 1999 General Accounting Office (GAO) report highlighted the reality of outdated access controls; it found access controls to be at the forefront of security weaknesses. Beyond the norm of gates and guards that were often inadequate, failures of logical controls—those access controls built into software—were pervasive. In the information age, there are hundreds of websites devoted to password cracking and/or interception. The most common programme used for password generation is Brute Force. This widely available application generates all alphanumeric combinations until the password is deciphered.
Control Devices There are two issues here: access and authentication. Access allows those who should be able to get onto the system access for the purpose for which they are authorized. Authentication is assuring the system that the person trying to gain access or engage in a certain activity is, in fact, the person he or she claims to be and that the person is authorized to engage in the act. Used together and diligently, these processes are the most cost-effective security devices available. Financial institutions can use a variety of access and authentication tools and methodologies to authenticate customers. Existing access control techniques and authentication methodologies involve three basic factors: Something the user knows [e.g., password or Personal Identification Number (PIN)]. 142 e-finance
Something the user possesses (e.g., ATM card, smart card, or token). Something the user is (e.g., biometric characteristic, such as fingerprint or retinal pattern). An effective access and authentication programme should be implemented across the organizational structure, including affiliate entities, which requires the appropriate use of controls and authentication tools. Authentication processes should also maximize interoperability and offer consistency with the financial institution’s assessment of the e-finance system risks. Before it goes on-line, the financial institution should examine its business processes, undergo a data classification inventory as part of its risk management analysis, and configure its rules engines and access controls to support the data classifications.
Access Control Using Password and PIN The entry of a username or an ID and a secret string of characters such as a password or a PIN is the most common and vulnerable of all single-factor authentication techniques. The effectiveness of password security depends on three characteristics: length and composition, secrecy, and system controls. Even with these precautions, the inherent weaknesses of passwords are technology and time. As a result of increased processor speeds, patient hackers can acquire an encrypted password file or session. A programme named L0ftCrack is a random character generation programme that, when used with a 1.8 gig processor, can run one million keyboard combinations per second. The computer will execute L0ftCrack in logical progression, thus making it a matter of time before that terminal is compromised. Note that hackers with criminal intent are patient. It may take months to set-up an attack, but it takes seconds to execute a successful intrusion on a bank. Passwords can be compromised and thus provide no real level of nonrepudiation. 143 network security
Access Control Using Tokens and Smart Cards A token is an authentication method that makes use of something the user possesses. Typically, a token is a twofactor authentication process, complemented by a password or a biometric as the other factor. The device itself may authenticate static passwords or biometric identifiers used to authenticate the user locally. This process avoids the transmission of shared secrets over an open network. Most so called ‘smart cards’ are nothing more than a credit card-sized device containing a microchip. The sophistication of the chips varies, but most commercially available implementations are far from being secure. In considering the threat posed by criminals, it is not enough to deter the casual criminal through the inconvenience of basic security. New measures must be able to withstand the continuous and repeated efforts of a determined and well-funded adversary. Standard smart cards usually contain account numbers, encryption keys and often additional stored information (such as biometric profiles), which can be extracted from the card and duplicated or altered. In so doing, the determined adversary can then present cloned or altered data smart cards as genuine, defeating the security and gaining access to critical infrastructure. CyonicTM technology is a core authentication system with a wide variety of applications. It is based on the use of massproducible microchips that can be deployed in a variety of convenient consumer products. Each chip behaves uniquely in response to random or pseudo-random challenges. The system is fundamentally an authentication technology. The primary security advantage of Cyonic™ technology is that no system level information is contained on the microchip. Thus, even a determined adversary, upon destructive analysis of the chip, will gain no insight into the system level functions that authenticate system users. This prevents any adversary from achieving successful account cloning, regardless of the adversary’s technical or financial resources. 144 e-finance
Biometric authentication techniques can grant or deny access to networks by automatically verifying the identity of people through their distinctive physical or behavioural traits. A biometric identifier represents a physical characteristic of the user. The identifier is created from sources such as the user’s face or hand geometry, voice, iris (or retina), or fingerprint. Once ‘captured’, a biometric is translated algorithmically into a complex string of numbers and stored in a database as a template. Later, this template is compared to any ‘live’ biometric presented as proof of identity. Introducing a biometric method of authentication requires physical contact with each customer to initially capture and validate the biometric information. This corresponds to the ‘know thy customer’ mantra of the Financial Action Task Force principles. Biometrics are the future of access controls. Biometric devices fulfill the nonrepudiation element of layered security by authenticating a user by his or her physical characteristics. Implementing biometric technologies virtually guarantees a system administrator that the person who initiated the communication or system access was who he or she should have been. The greatest obstacle that biometric technology faces lies in the acceptance of the public. Many people fear the ramifications of storing personal information in a vast database. Visions of the books 1984 and Gattaca spring to mind as those who fear centralized governance reject these methods of authentication. The e-financial world must evolve past our fears of ‘big brother’, in order to face the security challenges that will face all ‘virtual’ industries in the years to come. Authentication is the gargantuan cyber-loophole that is exploited more often than not in order to gain access to others’ computer systems.
Malicious Attacks Worms, Trojans (from the Trojan horse) and viruses are vehicles for deploying an attack. A virus is a programme that can replicate itself by infecting other programmes on the same 145 network security
system with copies of itself. Trojans do not replicate or attach themselves to other files. Instead, they are malicious programmes that are hidden within another programme or file. Once the Trojan file is executed, it can perform malicious activity at will. Virus scanners are critical in the mitigation of these attacks. Virus scanners should be updated every night. Beginning with an institution’s email gateway, every inbound attachment should be scanned for viruses. File servers should be set to active scanning mode, where they scan every file copied onto them. Desktop scanners that protect the user’s PC should also be updated. Data should be tested against standard loads if updates catch anything. Worms, which are a relatively new phenomenon, use existing security vulnerabilities to gain access to the device. Worms replicate themselves into other systems via a network connection. Typically, viruses and worms become malicious only when the infected files are accessed or deployed. Most of the time, these vulnerabilities can be eliminated by simply applying patches. The irony here is that someone who is not keeping up-to-date with patches most likely is not keeping upto-date with virus software either. This human ‘systems’ failure can have catastrophic implications for an institution’s e-financial network.
Data Transmission Reliability Cryptography and cryptographic tools sound complex and mysterious. The details of how these tools are constructed and work are intricate, laced both with mathematics and with provable and unprovable properties. The security of some tools can be based firmly upon some intractably difficult mathematical problem. The security of other tools cannot be proven formally, but is trusted as a result of the inability of experts to find and demonstrate any weaknesses in the tools over the years. However, what cryptographic tools do and how they are used are very easy to understand. There are only six basic types of cryptographic tools. They are: 146 e-finance
1. 2. 3. 4. 5. 6.
Symmetric (secret) Key Encryption. Asymmetric (public/private) Key Encryption. One Way Hash Functions. Message Authentication Codes. Digital Signatures. Random Number Generators.
By careful use of these cryptographic tools one seeks to design systems that can provide system security in the face of any of the attacks defined in an associated threat model.
Asymmetric Key Encryption For asymmetric key encryption, the key used to encrypt data is a different key from that used to decrypt data. Unlike symmetric key encryption, which uses the same secret key both for encryption and decryption, asymmetric key encryption uses two different keys. Why is this important? It is important because only one of the keys needs to be kept private (or secret). The other key can be made public. It is for this reason that asymmetric key encryption popularly is called ‘public/private’ key encryption. Asymmetric ciphers greatly facilitate problems of key distribution. One can appreciate the power of having two keys by considering how items are ordered over the Internet, such as books from Amazon.com. The ordering process used by such websites uses a protocol called Scare Socket Layer (SSL), to assure that a secure session is established between the customer’s computer and the website. An SSL session begins with a ‘handshake’ protocol. The customer’s computer sends a greeting to the Amazon web server, and web server’s reply includes a certificate containing an Amazon public key. The customer’s computer checks that the certificate is valid and then uses Amazon’s public key to encrypt data that both the user’s computer and the web server will use to construct a symmetric key for the session. Only the Amazon web server has the private key needed to construct the symmetric session 147 network security
key. After some further checking, the session continues using the symmetric key to encrypt/decrypt messages. The order information—credit card number, shipping address, giftwrapping, greeting message, and items ordered—then can be sent confidentially to Amazon. The most widely used asymmetric cipher is called ‘RSA’, an acronym composed of the first letters of the last names of its inventors: Ron Rivest, Adi Shamir and Leonard Adleman, who first published their work in the summer of 1977. Patent protection for the algorithm expired in September 2000 and it is now in the public domain. RSA operates upon very large integers modulo the product of two secret prime numbers. RSA public and private keys each are pairs of such large integers. For good security today, 1,024 to 2,048 bit integers are used, although some applications continue to use 512 bit integers. The cryptographic strength of RSA derives from the difficulty in finding the two secret primes given only their product. Due to the relative strengths and weaknesses of symmetric and asymmetric cryptography, a common practice is to use asymmetric key cryptography for key distribution and symmetric key cryptography for the bulk of the transferred data. This is what is done within the SSL protocol—asymmetric cryptography is used to establish a newly created symmetric key, which then is used for the data transfers within the SSL session.
Use of Random Numbers Random numbers are employed throughout cryptographic algorithms and protocols. They are used for keys, challenge values, pre-hashing appendages for passwords, etc. Hardware devices based upon some form of physical randomness are also beginning to appear. The problem with such hardware devices, of course, is testing them to ascertain that they are operating correctly. Solely computational means for generating truly random numbers do not exist. A favourite quote of John Von 148 e-finance
Neumann’s, cited by Bruce Schneier, is ‘Anyone who considers arithmetic methods of producing random digits is, of course, in a state of sin’. Fortunately, computational means do exist for computing numbers that are sufficiently unpredictable that they can be used in lieu of truly random numbers. Such numbers are called ‘Pseudo-Random Numbers’ (PRNs). Some of the pseudo-random number generation methods employ values obtained by physical measurements of random events in a computer system, such as typing rates, arbitrary mouse motions and arrival times of I/O (an authentication software) interrupts. Others are based upon symmetric cryptography or the difficulty of hard mathematical problems such as the factoring problem. Pseudo-random number generators (PRNGs) that produce sufficiently unpredictable values are called ‘Cryptographically Strong Pseudo Random-Number Generators’ (CSPRNGs). It is not easy for banks and financial institutions to safeguard their networks because new vulnerabilities are discovered daily, and their fixes/patches must be diligently applied to all systems. New connections to the Internet, modems, and virtual private networks (VPNs) create a multitude of new access points to a network whose risk is defined by its weakest link. Penetration testing entails obtaining knowledge of existing vulnerabilities of a computer system or network, and using that knowledge to attempt to gain access to resources on the computer or network while bypassing normal authentication barriers. It may also include exploiting vulnerabilities to gain increased authorization—for instance, to go from regular user to super-user. Penetration testing is good only on the day it was done (this is true for all security testing). Penetration testing is an excellent way of testing installed security measures, policies and procedures, and the effectiveness of a company’s end-user security training programmes. First, a company will be able to tell if security measures such as firewall and Intrusion Detection System (IDS) are functioning properly and what skill level is required to circumvent them. Second, a company will gain insight into whether established policies and procedures 149 network security
allow its staff to detect and react to an intrusion properly; and third, a company can determine if additional training is required for its end-users. Penetration testing should be performed at least annually, and more often if the system is subject to frequent application or operating system updates. Once a penetration test has been performed, ongoing vulnerability assessment should be performed to address newly discovered exploits. The frequency of the vulnerability assessment should be determined on the level of risk an organization is willing to accept. Given the speed at which new vulnerabilities and exploits are discovered, a vulnerability assessment should be performed semiannually and in many cases quarterly, no matter what level of risk one is willing to accept. So far, the causes and steps the organization can take as damage control have been outlined. The next section points out the most frequent lapses which occur and which are within the category, of ‘controllable’ items from an organizations’ perspective.
Managerial Checklists Top 20 Red Flags 1. 2. 3. 4. 5. 6. 7.
8. 9.
Lack of training and expertize of administrators. No time for or interest in reviewing log files. No time for or interest in hardening machines. Deployment of new technology without security peer review. Failure to install software patches that fix security flaws. Lack of strict requirements to use strong passwords. Removal of security mechanisms because they cause user inconvenience. Restoration of systems from backups and failure to reload any patches that were previously installed. Failure to remove administrative-level accounts that were added temporarily for service personnel. Failure to install or use available security mechanisms such as password policy enforcement or system event logging. 150 e-finance
10. Lack of daily audit of network logs for suspicious activity. 11. Setting up computer systems using the software defaults. These default settings are designed to get the system up and running with the least interference and are often very insecure. 12. Failure to perform routine backups of systems and then test those backups for viability. 13. Failure to properly install and update virus protection software. 14. Sharing administrative accounts and passwords over multiple systems. 15. Primary reliance on a firewall or public key infrastructure (PKI) system for security. 16. Use of Simple Network Management Protocol (SNMP), telenet, file transfer protocol (ftp), mail, rpc, rservices, or other unencrypted protocols for managing systems. 17. Assignment of passwords to users over the telephone. 18. Failure to educate users about security problems and what to do when they see a potential problem. 19. Poorly written and implemented policies and procedures. 20. Improper documentation. The following are some of the best practices prevalent in industry.
Best Practices 1. Network administrators should be responsible for installing and verifying patches and updates to operating systems weekly. 2. On-site trained security staff should be present 24/7. 3. Employees should be required to use robust passwords (long in l ength, mix of letters, numbers, and symbols), which should be changed monthly. 4. Computer monitors should not be visible to anyone who is not an employee of the institution. 5. Network administrators should implement a profile procedure to process employees, transferring to an151 network security
6. 7. 8.
9.
10. 11. 12.
13.
14. 15.
other office in the bank, termination of employees, and changes to an employee’s level of access within the bank’s systems. Those who are responsible for large value transfers should utilize biometric identifiers as their password. Backups should be maintained of all critical material that is stored in a different location. An incident response capability and a plan that ensures continuity of operations and recovery from security breaches should be in place. Strong authentication—preferably a combination of biometrics, smart cards, and cryptography—should be exercised for large value transfers. Firewalls and intrusion detection systems should be installed. Penetration testing/auditing should be performed on all of the institution’s systems. A login banner should be displayed stating that the system is only for authorized use and is subject to monitoring. Patches must be updated weekly to both servers and remote access machines. See http://www.microsoft.com/ technet/security/current.asp Critical operations should have two-person controls. A security policy should be developed that mandates training for non-IT staff vis-a-vis an incident response plan that prohibits instant messaging, voice- over IP, and wireless local area network (WLAN) installation without appropriate authorization and securitization.
Incident Response The ability to react quickly to security incidents is an essential part of an overall security plan. An organization’s ability to operate will depend on its ability to provide timely information to its clients in the form of electronic data. It is also essential to categorize information. Information from critical systems will certainly receive a more direct and focussed 152 e-finance
response than, for example, electronic information stored for office supplies. An organization needs the ability to react to and recover from security incidents as they arise with an effective and coordinated response, which in turn will minimize the cost and damage to the organization’s infrastructure and to its image within the banking industry. A security incident can be defined as an event that changes the security posture of an organization, or circumvents security polices developed to prevent financial loss and the destruction, theft, or loss of proprietary information. It is characterized by unusual activity that causes the organization to investigate because the activity cannot be explained through normal operations. Some possible classifications for security incidents are: Virus attacks (unable to clean, rename, or delete); Denial of service attacks; IDS alert notifications (false positives possible); Automated scanning tools. Banking organizations must share in the responsibility of coordinating their response efforts with those of other financial institutions. Networking in a trusted environment and sharing incident information and detection/response techniques can be important to all of these organizations in identifying and correcting weaknesses. Gathering intelligence information from all sources is a critical part of information infrastructure protection. Having an informationsharing network in place can also help government agencies alert other agencies to potential and/or actual threats directed at the critical information infrastructure of nations. Incident response within any organization must begin with management. Management is responsible for providing the support, tools, personnel, and financial backing needed to ensure the success of the incident response team. An incident response team must be perceived well by all concerned. Security awareness training and briefings for senior management are key components of a successful deployment of an incident response team. 153 network security
Monitoring systems and reviewing security alert information submitted by vendors is an important part of an incident response team’s proactive duty. IDS systems, however, do not provide a complete solution to identifying and responding to incidents. An overall security plan is needed to ensure overall protection that would include an incident response mechanism. An incident response team must also develop procedures. Clear definitions of each type of incident will enable members to react quickly and effectively. Procedures must detail the steps team members should take when alerted to an incident. Included within the procedures must be clearly defined investigative goals to be achieved before an incident can be closed. The team should also list and post contact information of key personnel and management to notify.
Survivable System Development Survivability analysis or business continuity helps to identify the essential functions or assets in the institution that must survive in the event of an attack or system failure. The delivery of essential services and the preservation of essential assets during a compromise, and the timely recovery of full services and assets following attack are among these functions. The organizational integration phenomenon that typifies the modern banking community is accompanied by elevated risks of intrusion and compromise. It is essential to determine what elements in the institution’s IT infrastructure are absolutely mission-critical—that is, what elements must be up and running within a certain time in order for business to continue. From this point onward, one must envisage various compromises to the system so that contingency plans are in effect to cover all potential threats. The following sources on survivability will assist network architects in determining the impact of certain accepted risks. The Carnegie Mellon Software Engineering Institute Network Systems Survivability Programme uses incident data collected by the CERT (http://www.cert.org/nav/ 154 e-finance
index_purple.html) as a basis for the institute’s survivability research and for trend identification and the prediction of future problems. The European Dependability Initiative (http://www.cordis.lu/ esprit/src/stdepnd.htm) represents a major research effort within the European Union to address the critical infrastructure protection and survivability efforts of the member nations. There are plans for joint US/EU cooperation. The National Infrastructure Protection Center (NIPC) is the US government’s focal point for threat assessment, warning, investigations, and response to attacks (http://www.nipc.gov).
E-security in the Case of Wireless Networks Wireless networks are available in three basic formats: highpowered microwave systems used by telephone companies for long-haul, line-of-sight communications; Code Division Multiple Access/Time Division Multiple Access/Global System for Mobile Communication (CDMA/TDMA/GSM) cellular and PCS networks used for wireless phones and PDAs; and wireless LANs using the 802.11b protocol. While all of these are common throughout the world, they all suffer from the same basic security flaw. They use radio frequency (RF) technology to transmit their information. The result can be compromising for their transmissions. Wireless networks (WLANs) have seen explosive growth in their deployment. With cost savings at an all-time high and with the simplicity of installation, WLANs have been deployed rapidly. Wireless networks were supposed to do what traditional Ethernet LANs do without cables. Convenience for the customer is paramount in the proliferation of wireless. Wireless technology is built around the 802.11b IEEE standard in the US and the GSM standard in Europe. The next section discusses the security issues raised by both of these forms of cellular technology and provides a glimpse into the future of third generation wireless (3G). 155 network security
Managers LaptopThe Big Problem Wireless LANs make use of the IEEE 802.11b technology, which is a system that transmits and receives in the 2.4GHz range and is capable of a maximum network capacity of 11Mbps. WLANs implement the Wireless Equivalent Protocol (WEP), which was designed to offer the same security features as a physical wire: confidentiality, access control, and data integrity. 2001’s Black Hat Briefing made public that hackers have a multitude of ways in which they can crack, interject, or modify WEP messages on a wireless network. There is a particular problem with devices using the 802.11 wireless network standard. The encryption can easily be broken, and once broken it can provide easy access to corporate networks for anyone listening in. Furthermore, if a wireless gateway is located on the corporate Ethernet network, that network will broadcast all the data passing through it over the airwaves. If someone cracks the encryption, that person can intercept everything. But the immediate points of vulnerability are the mobile devices themselves, including notebooks, which tend to be poorly protected and which often contain sensitive but unencrypted data. The danger to financial and corporate networks is very real. When designing a wireless network, one should keep in mind a number of important security concerns. These are the six basic categories of wireless network security risks: 1. Insertion attacks—The intruder attempts to insert traffic into your network, typically through an unsecured mobile access point. 2. Jamming—This is a DoS (denial of service) attack, where the attacker tries to flood the radio frequency spectrum of your wireless network by broadcasting packets at the same frequency as your network. 3. Encryption attacks—The IEEE 802.11b wireless network standard uses a WEP encryption method. This standard uses weak encryption and initialization vectors and has been cracked successfully many times. 156 e-finance
4. Traffic interception and monitoring (war driving)—Wireless packets using the 802.11b standard have an approximate transmission distance of 300 feet. This means that anyone with the proper standard equipment can receive that signal if he or she is in transmission range. Equipment to extend that range further is easily available, so the area of interception can be quite large and hard to secure properly. 5. Mobile node to mobile node—Most mobile nodes (laptops, PDAs) are able to communicate directly with each other if file-sharing or other Transport Control Protocol/ Internet Protocol (TCP/IP) services are running. This means that any mobile node can transfer a malicious file or programme rapidly throughout your network. 6. Configuration issues—Any wireless device, service, or application that is not correctly configured before installation and use can leave an entire network at risk. Most wireless devices and applications are preconfigured to accept any request for services or access. This means any passing mobile client can request and receive telnet sessions or ftp.
War Driving Industrial espionage and white-collar crime have reached new heights with the advance of new technologies. War dialing, the hacking practice of phoning up every extension of a corporate phone network until the number associated with the firm’s modem bank is hit upon, has been replaced by war driving. War driving involves motoring between targeted financial institutions and corporate headquarters with a laptop fitted with a WLAN card and trying to record network traffic (sniffing). According to Dave Thomas, the Chief Investigator of the FBI Computer Crimes Division, war driving is a widespread phenomenon that jeopardizes the security of all institutions and corporations that implement WLANs. 157 network security
When testing and deploying WLANs, a network administrator may find that the institution’s laptops can only connect to the access points within a certain distance and may therefore assume that the signals do not travel beyond this point. This is a flawed assumption. In fact, these signals may travel for several thousand meters if there is nothing in the way to deflect or interrupt the signal. The reason for this misconception is that the small antennas in the laptops cannot detect the weaker signals. But if external antennas are used, the range can be vastly extended. The wireless segment is usually omnidirectional, so a potential adversary need not gain physical access to the segment to sniff (or record) the packet traffic. As a result, WLANs are susceptible to message interception, alteration, and jamming. These considerations raise the issue of how to secure wireless networks better. This will be as critical as securing fixed-line Internet systems in the emerging markets, as highlighted above. Each of these security breaches and associated risks can be minimized or negated with the proper use of security policy and practices, network design, and system security applications, and with the correct configuration of security controls.
The European Cellular Standard: GSM In 1982, the Conference of European Posts and Telegraphs (CEPT) formed a study group called the Groupe Spécial Mobile (GSM) to study and develop a pan-European public land mobile system. Today, GSM is the world’s most widely deployed and fastest growing digital cellular standard. GSM subscribers worldwide number nearly 600 million, more than two-thirds of the world’s digital mobile population. The numbers are increasing by four new users per second. GSM covers every continent, being the technology of choice for 400 operators in more than 170 countries. However, this is only the beginning of the wireless revolution. The industry predicts more than 1.4 billion GSM customers by the end of 2005. GSM phones have a small smart card inside them that holds 158 e-finance
the identity of the cell phone. This small smart card is called a Subscriber Identification Module (SIM). The SIM must keep the identity inside secret and uses cryptography to protect it.
GSM Vulnerabilities SIM Card Vulnerability In both European and American GSM systems, the network access method is the same. Removable smart cards in the phone (SIM cards) are used to store phone numbers, account information, and additional software such as wireless web browsers. The data on the cards is encrypted, but the COMP128 algorithm that protects the information on the card has been compromised, making these cards susceptible to duplication. War driving is not a substantial issue for cellular subscribers using GSM. Regardless of frequency, cellular signals can easily be jammed. There is a widely known method for recovering the key for an encrypted GSM conversation in less than a second, using a PC with 128 MB of RAM and 73 GB of hard drive space. The security of GSM phone technology is limited. It is possible to clone GSM SIM cards. The hack attack is possible because critical algorithms are flawed, making it possible to dump the contents of the SIM cards and then emulate them using a PC. This latest problem could render GSM phone conversations totally insecure. For a bank, there are other issues. For example, a remote teller machine could be tricked into communicating with a fake mobile tower because it cannot reach a real one. This would allow the perpetrator to remotely control the transmissions of funds via the teller machine. Thus, a modified GSM cell phone and laptop can act as a base station. All that is necessary is to make a few software and hardware modifications to the phone and to be within closer range than the actual tower. The mobile phone must authenticate itself to the base station, but the station does not have to authenticate to the phone at all. 159 network security
The SMS Vulnerability GSM offers Short Message Services (SMS). SMS is used in GSM systems for many reasons, such as voicemail notification, updating the subscriber’s SIM, sending short text messages, and communicating with email gateways. Although these services are convenient, they pose an additional risk to the security of the network. There is freely available software that can spoof SMS messages, send SMS bombs to both handsets and SMS gateways (used to communicate between devices both on and off the network), and corrupt SMS packets that can crash the software on most handsets. The GPRS Vulnerability: General Packet Radio Service (GPRS) is an IP packet-based service that allows an always-on connection to the Internet. The main problem with this is that it still relies on SMS for Wireless Application Protocol (WAP) push requests. A spoofed (cloned) SMS packet can be sent to the phone requesting a redirected site and fooling users into entering their information into a fake site that they believe is a secure order form. Many GPRS-enabled phones also support Bluetooth, IBM’s wireless programming language. Each Bluetooth device has a unique address, allowing users to have some trust in the person at the other end of the transmission. Once this ID is associated with a person, by tracking the unscrambled address sent with each message it is possible to trace individuals and easily log their activities. For Bluetooth devices to communicate, an initialization process uses a PIN for authentication. While some devices will allow you to punch in an ID number, you can also store a PIN in the device’s memory or on a hard disk. This is highly problematic if the physical security of the device cannot be guaranteed. Also, most PINs use four digits and half the time they are ‘0000’.
WAP Weaknesses The common flaw in any of these devices, no matter what network, is the Wireless Application Protocol standard, which 160 e-finance
also includes Wireless Markup Language (WML) and Handheld Device Markup Language (HDML). For the sake of convenience, developers try to require the least amount of keystrokes when entering in credit card numbers or personal or account information. This means that most of this information is still stored on a server, but the password to access that server is stored in a cookie on the handheld device, requiring only a PIN or sometimes nothing at all to shop on-line or transfer funds. This means that the actual mechanism used to transport sensitive information end-to-end in these untrusted public cellular networks, is left to Wireless Transport Layer Security (WTLS).Unless 128-bit SSL for mobile commerce or IPSEC for Enterprise access is being used, which most handsets cannot support because they lack processing power and bandwidth, there will be a weak link somewhere in the network that can be exploited. Even then, this only pushes the weakness out to the end devices that are communicating, and it can be easily lost. GSM uses the Wired Application Protocol and also the Wireless Transport Layer Security. This is equal to SSL, but it has weaker encryption algorithms. WTLS is not compatible with SSL, which is the industry standard.Wireless messages travel through a ‘gateway’ that channels them to a wired network for retransmission to their ultimate destination. At the gateway, the WTLS message is converted to SSL. For a few seconds, the message is unencrypted inside the gateway, which in turn makes the communication vulnerable to interception.
Security Solutions for GSM The inherent problems affecting GSM are not easily corrected. The telephones and PDAs that use GSM technology typically cannot upload protective firmware and software. Users are at the mercy of the telephone developer. Whereas GSM is not vulnerable to war driving like its American counterpart, 802.11, it is suffering from several core vulnerabilities. The 802.11 standard is geared to computers, not handhelds, and 161 network security
thus security can be improved much more drastically for 802.11 than for the GSM protocol. Virtual private networks are the common thread between the two. The establishment of VPNs is commonly referred to as the solution for the existing vulnerabilities of GSM and 802.11. However, when it comes to proper layered security, there are no magic bullets. To protect information systems that may use any of these technologies, users should deploy virtual private network technology at each and every trusted gateway into their networks and ensure that every user accessing the trusted network uses Virtual Private Network (VPN) technology. A VPN network is essentially a private connection between two machines that sends private data traffic over a shared or public network, the Internet. VPN technology lets an organization securely extend its network services over the Internet to remote users, branch offices, and partner companies. In other words, VPNs turn the Internet into a simulated private wide area network (WAN). VPNs allow remote workers to access their companies’ servers.
Sound Practices for Managing Outsourced E-banking Systems and Services 1. E-finance organizations should adopt appropriate processes for evaluating decisions to outsource e-finance systems or services. Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties. The decision to outsource a key e-finance function or service should be consistent with the organization’s business strategies, be based on a clearly defined business need, and should recognize the specific risks that outsourcing entails. 162 e-finance
All affected areas of the bank need to understand how the service provider(s) will support the organization’s e-finance strategy and fit into its operating structure. 2. E-finance companies should conduct appropriate risk analysis and due diligence prior to selecting an efinance service provider and at appropriate intervals thereafter. Organizations should consider developing processes for soliciting proposals from several e-finance service providers and criteria for choosing among the various proposals. Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider’s financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations. Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract. Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking. Responsibilities for overseeing e-finance outsourcing arrangements should be clearly assigned. An appropriate exit strategy for the organization to manage risks should a need to terminate the outsourcing relationship arise. 3. Organizations should adopt appropriate procedures for ensuring the adequacy of contracts governing efinance. Contracts governing outsourced e-finance activities should address, for example, the following: 163 network security
The contractual liabilities of the respective parties as well as responsibilities for making decisions, including any sub-contracting of material services are clearly defined. Responsibilities for providing information to and receiving information from the service provider are clearly defined. Information from the service provider should be timely and comprehensive enough to allow the organization to adequately assess service levels and risks. Materiality thresholds and procedures to be used to notify the bank of service disruptions, security breaches and other events that pose a material risk to the bank should be spelt out. Provisions that specifically address insurance coverage, the ownership of the data stored on the service provider’s servers or databases, and the right of the organization to recover its data upon expiration or termination of the contract should be clearly defined. Performance expectations, under both normal and contingency circumstances, are defined. Adequate means and guarantees, for instance through audit clauses, are defined to insure that the service provider complies with the bank’s policies. Provisions are in place for timely and orderly intervention and rectification in the event of substandard performance by the service provider. For cross-border outsourcing arrangements, determining which country laws and regulations, including those relating to privacy and other customer protections, are applicable. The right of the organization to conduct independent reviews and/or audits of security, internal controls and business continuity and contingency plans is explicitly defined. 4. Organizations should ensure that periodic independent internal and/or external audits are conducted of 164 e-finance
outsourced operations to at least the same scope required if such operations were conducted in-house. For outsourced relationships involving critical or technologically complex e-banking services/applications, organizations may need to arrange for other periodic reviews to be performed by independent third parties with sufficient technical expertize. 5. Organizations should develop appropriate contingency plans for outsourced e-finance activities. E-finance companies need to develop and periodically test their contingency plans for all critical e-banking systems and services that have been outsourced to third parties. Contingency plans should address credible worstcase scenarios for providing continuity of e-banking services in the event of a disruption affecting outsourced operations. Companies should have an identified team that is responsible for managing recovery and assessing the financial impact of a disruption in outsourced ebanking services. 6. Companies that provide e-finance services to third parties should ensure that their operations, responsibilities, and liabilities are sufficiently clear so that serviced institutions can adequately carry out their own effective due diligence reviews and ongoing oversight of the relationship. E-finance companies have a responsibility to provide serviced institutions with information necessary to identify, control and monitor any risks associated with the e-banking service arrangement.
165 network security
There are many issues and alternatives associated with the best implementation method. It is hoped that over a period of time, a dominant industry-wide standard will appear. At the same time, even the most straightforward solutions available need to be monitored and maintained and patched on a regular basis to be effective. Ultimately, organizations need to look at their own risk management issues and decide what level of vulnerability they can afford. It must be kept in mind that damage levels are rising to a point where security concern cannot be taken lightly.
166 e-finance
twelve
cyber law in e-commerce and e-finance The Incidence of Cyber Law
T
he fundamentals of e-commerce and finance rests mainly on the legality of e-contracts entered into between two or more parties. The rules and regulations are embodied in the Indian Contract Act, the Evidence Act, the Civil Procedure Code, the Criminal Procedure Code, the RBI Act 1934, the Bankers’ Book of Evidence Act, etc. However, all these embody rules regarding manual operations, and paperbased documents. Generally, commercial practice moves a few paces ahead of the statutes and it takes time for the laws to catch up. The same is true in a large measure about e-finance and ecommerce. The whole gamut of activities is yet to take deep root in the socio-commercial policy, and with rapid technological advances being the order of the day, the lags are bound to be prevalent. The incidence of cyber law pervades a number of areas, but the following five aspects are highlighted: 1. 2. 3. 4. 5.
The The The The The
Contract aspect, Intellectual Property aspect, Security aspect, Evidence aspect, Criminal aspect. 167 cyber law in e-commerce and e-finance
In a sense ‘cyber law’ encompasses the whole gamut of legal statutory provisions that affect computers and computer networks. It concerns individuals, corporate bodies and institutions which: Are instrumental for entry into cyber space, Provide access to cyber space, Create the hardware and software which enable people to access cyber space, Use their own computers to go on-line. Potential litigants include telephone provider companies, regulatory agencies, personal computer companies, software companies, Internet service providers, academic bodies and firms that have a presence on the Internet. The law as it exists now is in a formative stage. There are no precedents, pronounced judgements and case laws. A series of issues may be postulated, which need resolution. The endeavour is to provide a broad conceptual framework in terms of which the diverse aspects can be appreciated. A useful step in this direction was the passing of the Model Law prepared by UNCITRAL. This Commission was mandated to develop and to further the progressive harmonization and unification of the law of international trade. The Model Law was approved by the Commission at its twenty-ninth session, after taking into account the observations of governments and interested organizations. Various states are expected to give favourable consideration to the Model Law when they enact or revise their laws in view of the need for uniformity of the law applicable to alternatives to paper-based communication. The ‘Model Law’ is divided into two parts, one dealing with e-commerce in general and the other analyses specific areas.
Parity with Digital Documents The Functional Equivalent Approach The Model Law is based on a recognition that legal requirements prescribing the use of paper-based documentation 168 e-finance
constitute the main obstacle to the development of modern means of communication. The attempt was to overcome the impediments to electronic commerce by way of an extension of the scope of such notions as ‘writing’, ‘signature’ and ‘original’ with a view to encompassing computer-based techniques. Such an approach was used in a number of existing legal instruments, for example, in Article 7 of Model Law on Commercial Arbitration, or in the United Nations Commission for Contracts for International Sale of Goods. It was also necessary to provide for developments in technology and communications applicable to trade laws without necessitating the wholesale removal of paper-based requirements or disturbing the underlying concepts. The Model Law relies on an approach referred to as the ‘functional equivalent’ approach, which is based on an analysis of the purposes and functions of the traditional paper with a view to determining how these purposes or functions could be fulfilled through electronic techniques. Paper documents can be read, copied, preserved and would remain unaltered over time. An electronic recorder can perform all these functions with a greater degree of reliability. The Model Law does not attempt to define a ‘computer based’ equivalent to a paper document. Instead, it singles out basic functions of paperbased form requirements with a view to providing criteria, which once they are met, enable the data-based messages to enjoy the same level of legal recognition as paper documents performing the same functions. The purpose in outlining the equivalence was to clarify what the Act was attempting, rather than be exhaustive. The Information Technology Act 2000 is similar to the Model Law and the preamble acknowledges this fact. An act to provide legal recognition for transactions carried out by means of electronic communication, commonly referred to as electronic commerce which involve the use of alternatives to paper based methods of communication and storage of in formation, to facilitate electronic filing of documents with the 169 cyber law in e-commerce and e-finance
Government Agencies and further to amend the Indian Penal Code, 1860, the Indian Evidence Act 1872, the Bankers’ Book of Evidence Act 1891 and the RBI Act of 1934.
The Act was passed to give effect to the resolutions of the United Nations General Assembly and to promote efficient delivery of government services by means of reliable electronic records.
Contract Aspect The ‘offer’ and ‘acceptance of an offer’ may be expressed by means of electronic records. As between the ‘originator’ and the ‘addressee’ of an electronic record, the expression/declaration of an intention or other statement shall not be denied legal effect, validity or enforceability, solely on the ground that it is in the form of an electronic record. The concept of an ‘Originator and Addressee’, ‘Acknowledgement of Receipt’ and concepts of ‘Time and Place of Despatch and Receipt’ are dealt with in a genuinely different way and need to be highlighted. 1. Unless otherwise agreed to between the originator and the addressee the dispatch of an electronic record occurs when it enters an information system outside the control of an originator. 2. Save or otherwise agreed between the originator and the addressee, the time of receipt of an electronic record shall be determined as follows: If the addressee has designated a computer source for the purpose of receiving electronic records: (a) receipt occurs when the electronic record enters the designated computer resource; and (b) if the record is sent to a computer resource of the addressee that is not the designated computer resource, receipt occurs at the time when the electronic record is retrieved by the addressee. 170 e-finance
The above is not a complete reproduction of section 13 of the Information Technology Act. It has been included merely to stress the difficulties encountered in bringing about a functional equality.
Intellectual Property Aspect The Information Technology Act 2000, does not contain provisions relating to electronic copyrights or the protection of phonogram procedures against unauthorized duplication of their phonograms. Similarly, the question of copyrights for software programmes have not been dealt with in the this Act. India is yet to legalize the functioning of on-line digital department stores, digital book stores, and digital record and video shops. Once these are incorporated in the Indian IPR legislation, performers and makers of phonograms, software producers would have the benefit of: Legal remedy against misuse of copyright, both direct and indirect in any manner or forms. Right of the owner of the copyright to make available to the public programmes/performance stored in electronic media, by interactive on-demand, on-line delivery methods. Commerce on the Internet involves the sale and licensing of intellectual property. To promote an effective environment, sellers must know that their intellectual property will not be pirated, and buyers must know that they are buying authentic products and not pirated copies. The issues that are likely to come up would include: Liability of on-line service providers. Fair uses of copyright material. Effective patent systems. Standards for determining valid claims. Litigation due to trademarks. Similarity of Internet domain names. 171 cyber law in e-commerce and e-finance
Security Aspect Chapter eleven on ‘Network Security’ has discussed remedial measures like encryption. The aspects relating to digital signatures are examined here in detail. A digital signature is a message encrypted with a private key to certify the contents. The process of encryption is called a ‘digital signature’. The future is increasingly pointing to the use of digital documents and digital signatures. The growth of e-commerce and the US E-Signature Act, 2001, have brought to the fore a new set of technology-related issues. An e-signature provides for the validity of ‘electronic signatures’ on documents such as cheques, loan applications and contracts. Digital signatures perform three different functions: Data Integrity—a signature would indicate tampering with data. Data Authentication—it becomes possible to digitally verify the names of the person who signed the message. Non-repudiation—after a message is signed and sent, one cannot claim that he/she did not sign the original message—one cannot repudiate one’s signature. Digital signature technology is the electronic equivalent of an actual signature on a physical document. These are areas that many banks would need to explore. Owing to the initial and running costs, it is unlikely that banks will opt to develop their own digital signatures and would have perforce to depend on outsourcing or purchasing this capability for their existing infrastructure. A number of vendors are thus likely to emerge. Unfortunately, such vendors might market proprietary solutions that may not be compatible with the bank’s other systems. Inter-operability now and in the future should be a primary consideration. The Gartner Group estimates that 30–40 per cent of public key infrastructure deployments will fail 172 e-finance
within two years of launching because they fail to demonstrate value. The trust placed in banks may lead to their setting up in the near future, certification (CA) organizations using digital signatures that are unverifiable or information systems that have no technical support. Banks/financial institutions must perform a thorough due diligence on any vendor marketing a digital signature solution. It needs to be emphasized that implementing the use of digital signatures requires adopting a new or augmented set of technologies, services and bank policies. Implementing digital signatures means implementing digital documents and associated requirements for document management, storage, access security, periodic hardware upgrades and disaster recovery facilities. Implementing digital signatures also leads to maintaining digital records and servicing digital documents. The use of digital documents implies reasonable access being given to customers. Further, if remote access is to be provided, a secure information area will also have to be provided. A whole set of new issues come up when a bank decides to become a CA. Its primary role would be to issue and verify digital certificates. There are also some complex liability issues. Additionally, hardware and software will become obsolete. The bank must upgrade and replace older equipment. The nature of ‘secondary’ documents would raise question about their admissibility. In any proceedings involving a secure electronic record, it shall be presumed, unless evidence to the contrary is adduced, that the secured document is not altered since the specific point of time from which the record gained secure status. The fact if a secure procedure is commercially reasonable or not shall be determined having regard to the procedure and the commercial circumstances at the time the procedure is used. 173 cyber law in e-commerce and e-finance
Evidence Aspect According to Articles 6, 7 and 8 of UNCITRAL Model Law, information shall not be denied legal effects validity or enforceability solely on the grounds that it is in the form of a data message. Where the law requires information in writing, the requirement should be met by a data message if the information contained therein is accessible so as to be usable at a later date.
Problems of Acceptance in Courts Article 9 of the Model Law provides the following regarding admissibility of evidence: In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to deny the admissibility of an electronic data message OR (b) if it is the best evidence that the person adducing it could be expected to obtain on the grounds that it is not in its original form i.e., information in the form of a data message shall be given due evidential weight.
Of course, the reliability of the manner in which the message was generated, stored or communicated, and the reliability of the manner in which its originator was identified, are the kind of factors that would be taken into account. Given below are specific provisions contained in the IT Act 2000 relating to these aspects.
The Indian IT Act, 2000 Schedule II Information Technology Act, 2000 31 Schedule II (Section 91) Amendments to the Indian Evidence Act, 1872 1. In Section 3, (a) in the definition of “Evidence”, for the words “all documents produced for the inspection of the Court”, the words “all documents including electronic records produced for the inspection of the Court” shall be substituted; 174 e-finance
(b) after the definition of “India”, the following shall be inserted, namely, “the expressions “Certifying Authority”, “digital signature”, “Digital Signature Certificate”, “electronic form”, “electronic records”, “information”, “secure electronic record”, “secure digital signature” and “subscriber” shall have the meanings respectively assigned to them in the Information Technology Act, 1999.” 2. In Section 17, for the words “oral or documentary”, the words “oral or documentary or contained in electronic form” shall be substituted. 3. After Section 22, the following section shall be inserted, namely: “22A. When oral admission as to contents of electronic records are relevant. Oral admissions as to the contents of electronic records are not relevant, unless the genuineness of the electronic record produced is in question.” 4. In Section 34, for the words “entries in the books of account”, the words “Entries in the books of account, including those maintained in an electronic form” shall be substituted. 5. In Section 35, for the word “record”, in both the places where it occurs, the words “record or an electronic record” shall be substituted. 6. For Section 39, the following section shall be substituted, namely: “39. What evidence to be given when statement forms part of a conversation, document, electronic record, book or series of letters or papers. When any statement of which evidence is given forms part of a longer statement, or of a conversation or part of an isolated document, or is contained in a document which forms part of a book, or is contained in part of electronic record or of a connected series of letters of papers, evidence shall be given of so much and no more of the statement, conversation, document, electronic record, book or series of letters or papers as the Court considers necessary in that particular case to the full understanding of the nature and 175 cyber law in e-commerce and e-finance
effect of the statement, and of the circumstances under which it was made.” 7. After Section 47, the following section shall be inserted, namely: “47A. Opinions as to digital signature when relevant. When the court has to form an opinion as to the digital signature of any person, the opinion of the Certifying Authority which has issued the Digital Signature Certificate is a relevant fact.” 8. In Section 59, for the words “contents of documents” the words “contents of documents or electronic records” shall be substituted. 9. After Section 65, the following sections shall be inserted, namely: “65A. Special provisions as to evidence relating to electronic record. The contents of electronic records may be proved in accordance with the provisions of Section 65B. 65B. Admissibility of electronic records. (l) Notwithstanding anything contained in this Act, any information contained in an electronic record which is printed on a paper, stored, recorded or copied in optical or magnetic media produced by a computer (hereinafter referred to as the computer output) shall be deemed to be also a document, if the conditions mentioned in this section are satisfied in relation to the information and computer in question and shall be admissible in any proceedings, without further proof or production of the original, as evidence of any contents of the original or of any fact stated therein of which direct evidence would be admissible. (2) The conditions referred to in sub-section (l) in respect of a computer output shall be the following, namely: (a) the computer output containing the information was produced by the computer during the period over which the computer was used regularly to store or process information for the purposes of any activities regularly carried on over that period by the person having lawful control over the use of the computer; 176 e-finance
(b) during the said period, information of the kind contained in the electronic record or of the kind from which the information so contained is derived was regularly fed into the computer in the ordinary course of the said activities; (c) throughout the material part of the said period, the computer was operating properly or, if not, then in any respect of any period in which it was not operating properly or was out of operation during that part of the period, was not such as to affect the electronic record or the accuracy of its contents; and (d) the information contained in the electronic record reproduces or is derived from such information fed into the computer in the ordinary course of the said activities. (3) Where over any period, the function of storing or processing information for the purposes of any activities regularly carried on over that period as mentioned in clause (a) of sub-section (2) was regularly performed by computer, whether— (a) by a combination of computers operating over that period; or (b) by different computers operating in succession over that period; or (c) by different combinations of computers operating in succession over that period; or (d) in any other manner involving the successive operation over that period, in whatsoever order, of one or more computers and one or more combinations of computers, all the computers used for that purpose during that period shall be treated for the purposes of this section as constituting a single computer; and references in this section to a computer shall be construed accordingly. (4) In any proceedings where it is desired to give a statement in evidence by virtue of this section, a certificate doing any of the following things, that is to say, (a) identifying the electronic record containing the statement and describing the manner in which it was produced; 177 cyber law in e-commerce and e-finance
(b) giving such particulars of any device involved in the production of that electronic record as may be appropriate for the purpose of showing that the electronic record was produced by a computer; (c) dealing with any of the matters to which the conditions mentioned in sub-section (2) relate, and purporting to be signed by a person occupying a responsible official position in relation to the operation of the relevant device or the management of the relevant activities (whichever is appropriate) shall be evidence of any matter stated in the certificate; and for the purposes of this sub-section it shall be sufficient for a matter to be stated to the best of the knowledge and belief of the person stating it. (5) For the purposes of this section, (a) information shall be taken to be supplied to a computer if it is supplied thereto in any appropriate form and whether it is so supplied directly or (with or without human intervention) by means of any appropriate equipment; (b) whether in the course of activities carried on by any official, information is supplied with a view to its being stored or processed for the purposes of those activities by a computer operated otherwise than in the course of those activities, that information, if duly supplied to that computer, shall be taken to be supplied to it in the course of those activities; (c) a computer output shall be taken to have been produced by a computer whether it was produced by it directly or (with or without human intervention) by means of any appropriate equipment. Explanation: For the purposes of this section any reference to information being derived from other information shall be a reference to its being derived therefrom by calculation, comparison or any other process. 10. After Section 67, the following section shall be inserted, namely: “67A. Proof as to digital signature. Except in the case of a secure digital signature, if the digital signature of any subscriber is alleged to have been affixed 178 e-finance
to an electronic record the fact that such digital signature is the digital signature of the subscriber must be proved.”. 11. After Section 73, the following section shall be inserted, namely: “73A. Proof as to verification of digital signature. In order to ascertain whether a digital signature is that of the person by whom it purports to have been affixed, the Court may direct— (a) that person or the Controller or the Certifying Authority to produce the Digital Signature Certificate; (b) any other person to apply the public key listed in the Digital Signature Certificate and verify the digital signature purported to have been affixed by that person.”. Explanation: For the purposes of this section, “Controller” means the Controller appointed under sub-section (1) of section 17 of the Information Technology Act, 1999. 12. After section 81, the following section shall be inserted, namely: “81A. Presumption as to Gazettes in electronic forms. The Court shall presume the genuineness of every electronic record purporting to be the Official Gazette, or purporting to be electronic record directed by any law to be kept by any person, if such electronic record is kept substantially in the form required by law and is produced from proper custody.” 13. After section 85, the following sections shall be inserted, namely: “85A. Presumption as to electronic agreements. The Court shall presume that every electronic record purporting to be an agreement containing the digital signatures of the parties was so concluded by affixing the digital signature of the parties. 85B. Presumptions as to electronic records and digital signatures. (1) In any proceedings involving a secure electronic record, the Court shall presume unless contrary is proved, that the secure electronic record has not been altered since the specific point of time to which the secure status relates. 179 cyber law in e-commerce and e-finance
(2) In any proceedings, involving secure digital signature, the Court shall presume unless the contrary is proved that— (a) the secure digital signature is affixed by subscriber with the intention of signing or approving the electronic record; (b) except in the case of a secure electronic record or a secure digital signature, nothing in this section shall create any presumption relating to authenticity and integrity of the electronic record or any digital signature. 85C. Presumption as to Digital Signature Certificates. The Court shall presume, unless contrary is proved, that the information listed in a Digital Signature Certificate is correct, except for information specified as subscriber information which has not been verified, if the certificate was accepted by the subscriber”. 14. After section 88, the following section shall be inserted, namely: “88A. Presumption as to electronic messages. The Court may presume that an electronic message forwarded by the originator through an electronic mail server to the addressee to whom the message purports to be addressed corresponds with the message as fed into his computer for transmission; but the Court shall not make any presumption as to the person by whom such message was sent”. Explanation: For the purposes of this section, the expressions “addressee” and “originator” shall have the same meanings respectively assigned to them in clauses (b) and (z) of sub-section (1) of section 2 of the Information Technology Act, 1999. 15. After Section 90, the following section shall be inserted, namely: “90A. Presumption as to electronic records five years old. Where any electronic record, purporting or proved to be five years old, is produced from any custody which the 180 e-finance
Court in the particular case considers proper, the Court may presume that the digital signature which purports to be the digital signature of any particular person was so affixed by him or any person authorized by him in this behalf. Explanation: Electronic records are said to be in proper custody if they are in the place in which, and under the care of the person with whom, they naturally be; but no custody is improper if it is proved to have had a legitimate origin, or the circumstances of the particular case are such as to render such an origin probable. This Explanation applies also to section 81A”. 16. For section 131, the following section shall be substituted, namely: 131. Production of documents or electronic records which another person, having possession, could refuse to produce. No one shall be compelled to produce documents in his possession or electronic records under his control, which any other person would be entitled to refuse to produce if they were in his possession or control, unless such lastmentioned person consents to their production”. Schedule III (Section 92) Amendments to the Bankers’ Books Evidence Act, 1891 1. In section 2, (a) for clause (3), the following clause shall be substituted, namely: “(3) “banker’s books” include ledgers, day-books, cashbooks, account-books and all other books used in the ordinary business of a bank whether kept in the written form or as printouts of data stored in floppy, disc, tape or any other form of electro-magnetic storage device; (b) for clause (8), the following clause shall be substituted, namely: 181 cyber law in e-commerce and e-finance
“(8) “certified copy” means when the books of a bank— (a) are maintained in written form, a copy of any entry in such books together with a certificate written at the foot of such copy that it is a true copy of such entry, that such entry is contained in one of the ordinary books of the bank and was made in the usual and ordinary course of business and that such book is still in the custody of the bank, and where the copy was obtained by a mechanical or other process which in itself ensured the accuracy of the copy, a further certificate to that effect, but where the book from which such copy was prepared has been destroyed in the usual course of the bank’s business after the date on which the copy had been so prepared, a further certificate to that effect, each such certificate being dated and subscribed by the principal accountant or manager of the bank with his name and official title; and (b) consist of printouts of data stored in a floppy, disc tape or any other electro-magnetic data storage device, a printout of such entry or a copy of such printout together with such statements certified in accordance with the provisions of section 2A.” 2. After Section 2, the following section shall be inserted, namely: “2A. Conditions in the printout. A printout of entry or a copy of printout referred to in sub-section (8) of section 2 shall be accompanied by the following, namely: (a) a certificate to the effect that it is a printout of such entry or a copy of such printout by the principal accountant or branch manager; and (b) a certificate by a person incharge of computer system containing a brief description of the computer system and the particulars of— (A) the safeguards adopted by the system to ensure that data is entered or any other operation performed only by authorised persons; 182 e-finance
(B) the safeguards adopted to prevent and detect unauthorized change of date; (C) the safeguards available to retrieve data that is lost due to systemic failure or any other reasons; (D) the manner in which data is transferred from the system to removable media like floppies, discs, tapes or other electro-magnetic data storage devices; (E) the mode of verification in order to ensure that data has been accurately transferred to such removable media; (F) the mode of identification of such data storage devices; (G) the arrangements for the storage and custody of such storage devices; (H) the safeguards to prevent and detect any tampering with the system; and (I) any other factor which will vouch for the integrity and accuracy of the system. (c) a further certificate from the person-in-charge of the computer system to the effect that to the best of his knowledge and belief, such computer system operated properly at the material time, he was provided with all the relevant data and the printout in question represents correctly, or is appropriately derived from, be relevant data”. Schedule IV (Section 93) Amendment to the Reserve; Bank of India Act, 1934 In the Reserve Bank of India Act, 1934, in section 58, in sub-section (2), after clause (p), the following clause shall be inserted, namely: “(pp) the regulation of fund transfer through electronic means between the banks or between the banks and other financial institutions referred to in clause (c) of section 15– I, including the laying down of the conditions subject to which banks and other financial institutions shall participate in such fund transfers, the manner of such fund transfers and the rights and obligations of the participants in such fund transfers;” 183 cyber law in e-commerce and e-finance
thirteen
regulatory issues Regulating Alternate Trading Systems A major challenge for the regulators is the blurring distinction between intermediaries, markets, and exchanges. Exchanges are turning themselves into profit-making companies and are gradually turning away mutualization. Regulatory approaches are also evolving and it is extremely difficult to pinpoint which of the policies have crystallized and are likely to be pursued over a period of time. The different strands and variations in practice can perhaps be attributed to historical reasons, market practices, investor penetration etc. The problems faced by the US Securities and Exchange Commission over a period of time are highlighted and the history of these developments is analyzed. The difficulties encountered in the process of evolution and attempts at fitting them into a legalistic frame are a good example of problems that are likely to emerge. The technology underlying automated trade executions generates concerns for regulators. These deal with: System construction. Investor protection. Nature of computerized trade matching. Market structure. Appropriate jurisdiction. The regulation of automated trading changes the factual context. The costs of trading decline substantially—no barrier 184 e-finance
to providing direct unlimited access. In the process ‘the monopoly’ model of execution of services based on mutual associations gives way to increasing content ability of markets populated by firms offering different trading technologies and operating as for-profit enterprises. Technology applications were evolutionary. In contrast, the automated execution process lends itself to the elimination of distance, costs and access restrictions. The regulatory concerns have, therefore, to cover a range and variety of topics.
Definition of an Exchange Exchanges and brokers—the distinction has been statutory and underpins the entire fabric of regulation. Therefore, the two groups had different regulatory requirements. There is an implied variance in constraints on commercial behaviour and market structure. ‘Market structure’ comprises rules and institutions, which determine the competition between trading platforms. The definition comprises not only technical designs of trading systems, but also the means by which they interact with each other and with their participants. The regulation question leads to potential reclassification of systems, and difficulties with competition in the market for trading markets. The historical approach was institutional where the types of participants were defined, and where registration rules and the required duties of an institution covered by the definition were specified. There were four classifications: (a) securities exchanges; (b) brokers; (c) dealers, (d) a national securities association. The 1934 Securities Exchange Act (SEA) defined exchanges as: any organization, association, or group of persons whether incorporated or unincorporated which constitutes, maintains or provides a market place or facilities for bringing together 185 regulatory issues
purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange and includes market place and market facilities maintained by that exchange.
In 1990, in the face of new technology, the Securities Exchange Commission (SEC) provided the following definition: What distinguishes an exchange from a broker, dealer or other statutorily defined entity is its fundamental characteristic of centralizing trading and providing purchasers and sellers by its design (trading rules, operational procedures) buy and sell quotations, on a regular or continuous basis so that the purchasers and sellers have a reasonable expectation that they can regularly execute their orders at these price quotations. The means employed may be varied. . . .
Brokers were defined as ‘any person engaged in the business of effecting transaction in securities for a/cs of others, but does not include a bank’. The regulation of brokers/dealers is ultimately for the protection of customers. Is an automated trading system an exchange or a broker/ dealer? The descriptions suggest different regulatory responsibilities depending on that determination with varying constraints. A via media would be ‘proprietary trading systems’. However, the definition of proprietary trading systems created a host of problems. It was defined as: Any system providing for the dissemination outside the sponsor and its affiliates of indication of interest, quotations or orders to purchase or sell securities and providing procedures for executing or settling transactions in such securities.
A host of key regulatory issues are: Allocation of regulatory costs between exchanges and proprietary trading systems (PTS). Access to trading facilities. 186 e-finance
Price and quote data by PTS. System integrity. Inter-jurisdictional issues. Fragmentation and disintermediation. Problems also surfaced regarding definition of exchange and four sets were used for deciding the: (a) centralized activity; (b) two sided quotes; (c) liquidity; and (d) volume. The SEC revised the definition of an exchange in 1990 as: 1. An association or groups of persons that beings together the orders of multiple buyers and sellers. 2. User established non-discretionary methods under which such orders interact with each other and buyers and sellers agree to the terms of trade. Presently, a strong negative message is gleaned from speeches by regulators. In the first instance, the insistence is on ‘not doing harm’. It is like the advice given to young medical practitioners. A closer look would show that it in effect means: (a) allowing as much scope to the ‘Markets’ as would be possible; (b) taking care to see that technological developments are not impeded by the regulators; and (c) ensuring that the stable financial system is not disturbed. The other side of the coin dictates a status quo and would like no disturbance to the existing arrangement. A European committee (Committee of Wise Men) appointed to study the regulatory arrangements for securities trading came to the conclusion that they saw no need for a major change in the existing arrangements. This is a surprising conclusion, as the European regulatory system is characterized by three different kinds of regulatory bodies. It led to a peculiar situation of a local state government having to approve the planned merger of the German Stock Exchange with the London Stock Exchange. A similar situation exists in America. Different authorities regulate the New York Stock Exchange, the Arizona Exchange and the NASDAQ. Other examples are: 187 regulatory issues
Insider Trading Regulators, which regulate insider trading and the flow of information from companies to investors. Institutions regulating the capital adequacy of participants in the trading process. The presence of Alternating Trading Systems (ATS) would exert a downward pressure on commissions and would tighten the spreads. This pressure would also lead to integration as the need is for larger volumes per transaction. The tendency for a straightforward transaction would lead to a merger of banks with ‘e-traders.’ Alternatively, large banks could have their own broking arms (such as a bank-owned in-house trading system). This could lead to a monopolistic situation. The European Commission has rightly expressed concerns that the trend towards vertically integrated trading systems could dampen competition. Institutions which regulate the self-regulatory bodies of exchanges. A new body of regulation–the competitive authority would have to take an interest and suggest solution(s), which may perhaps be optimum. Merely adhering to a laissez faire policy or mere insistence on ‘transparency’ may not be the right solution. The need for information is universal. Even institutional investors are equally in need of authentic information. Certain limitations on transparency in the case of securities trading must also be noted. It would be quite difficult to disclose the details of large volume trades or the names of sellers, etc. The question has assumed added significance since recent disclosures in the US and the hefty fines paid by Wall Street firms are pointers to what lies in store if matters are not examined from a different angle. The ‘greed’ factor cannot also be ruled out. The glorification and unreasonable importance attached to the bottomline results at any cost would lead to such situations. There is thus a need for stringent measures and deterrent punishment. 188 e-finance
Equally strong is the need for a far greater degree of coordination amongst regulators spread over different parts of the globe. The merger of exchanges and the competition amongst them for business warrant harmonization of standards and coordinated efforts in dealing with ‘rogue traders’. It is time indeed that the ‘silo’ approach is reexamined and replaced by more centralized coordinated agencies to deal with the problem. The regulators also have to look at certain technological issues. They must keep in mind that the technology used is not skewed in favour of a given firm (i.e., information reaching a firm a split second earlier than others). The tasks before the regulators are going to be complicated with the emergence of increasingly complex derivative and risk-hedging products. The Daiwa or Barings Bank case did bring out somewhat unusual aspects . The regulators had to admit that they did not have staff adequately competent to deal with such matters. This is where regulators could cooperate with one another to arrive at solutions. These developments also lead to questions about provision of liquidity—a function undertaken by market makers in certain exchanges. The regulators would be called on to resolve the question of enmeshing earlier practices with the emerging straightforward transaction systems. Some basic principles that have been developed to guide securities regulators in markets that have experienced rapid growth in connectivity and widespread electronic distribution of securities related financial services are now examined. In protecting investors, it is useful to distinguish between the responsibilities of three groups: broker-dealers, that provide on-line brokerage services; internet service providers or portals that provide on-line order routing services to brokers or are themselves involved in on-line services, and issuers (or underwriters) that distribute their securities publicly or privately over the Internet. On-line brokers’ communications with investors should satisfy the principles of notice (timely and adequate notice that information is available electronically); access (given 189 regulatory issues
electronically should be comparable to that available in other forms); and evidence to show delivery (reason to believe that delivery requirements would be satisfied). When financial information is delivered electronically, there must be adequate protection for privacy and confidentiality. In many countries, self-regulating organizations (often exchanges) have been encouraged to work with issuers and related brokerage firms and investment banks to establish review committees that determine whether market participants meet requirements for proper communication and advertising to investors. In many cases, written policies have been required of brokerdealers as well as a pre-use review process and even ‘fair disclosure’ guidelines to ensure that all material non-public information is disclosed simultaneously across all forms of communication. In some countries, even public disclosure reports on broker-dealers must be posted on websites to allow for better-informed investors. ‘Suitability’ and ‘Know thy Customer’ rules are also important. These rules often oblige brokers to make certain determinations—such as ascertaining investors’ financial status, tax status, investment objectives, and any other information deemed reasonable— before making the transaction recommendation. In many countries, questions arise on how this process can be made more efficient—through use of other authentication processes, including digital signatures—and not require physical interaction with investors. On line order routing by an associated Internet service provider or portal in exchange for a fee raises the question of whether this constitutes provision of brokerage services. Many countries are starting to view such arrangements as brokerage, unless the portal does not recommend specific securities or participate in any financial services offered by the ultimate provider. Complicating matters, the extensive offline businesses of many portal companies can create conflicts about the accuracy of the company information they report. This problem makes regulatory oversight difficult—and is becoming more common in emerging markets that have seen 190 e-finance
a rapid increase in financial service portals. Korea for example, is home to nearly 300 such portals. On-line securities offerings can lead to conflicts of interest. Many issuers advertise using electronic bulletin boards, but this can be viewed as an offering. In general, securities issuers that use electronic bulletin boards on the Internet are being asked to maintain some status with regulators. They also need to provide financial information on their websites, required of registered issuers, keep records of quotes, provide no advice on buying or selling securities, receive no compensation for creating the bulletin board, and receive and transfer no securities on behalf of third parties. Third-party bulletin boards are complex to regulate because they may be acting as an exchange, an ATS, or a broker-dealer. In addition, on-line offerings of securities through an initial public offering or a private placement or offering raise regulatory or supervisory challenges. Similarly, attention must be paid to stock-purchase plans, stock giveaways, electronic road shows, and offshore or crossborder offerings over the Internet. Much of this will require developing global standards taking into account issues such as differences in the definition and treatment of solicitations.
The Indian Experience The rules presently in force in India decree that brokers keen to offer such facilities have to apply to the National Stock Exchange and adhere to prescribed norms and standards regarding the use of technology, and adopt practices regarding selection of customers, etc. The SEBI has also prescribed standards to be followed and Circular no.SMDRP/Policy/ Cir6/00 dated 31 January 2000 gives details regarding the various rules and regulations.
Foreign Exchange Transactions Equally significant is the question of foreign exchange transactions. The problems of tainted money transfers or huge 191 regulatory issues
capital flows with enormous destabilizing effects need to be analyzed in detail as these problems have defied solutions and apart from pious hopes and aspirations one hardly sees any progress made in regulating these activities. Thus, serious attempts do not seem to have been made to resolve these issues. Leaving all these matters to the market mechanism, or expecting that by providing teeth to bodies like the SEBI is the solution, is like chasing a mirage. The complex, evolving situation warrants a continuous meeting of minds amongst technology providers, market players and regulators. These bodies must virtually become the extended arms of regulators, which will go beyond the national boundaries and spread their reach to areas where a bulk of international activities is directed.
Regulating Insurance Companies The International Association of Insurance Supervisors has released a report dealing exclusively with the principles on the supervision of insurance activities on the Internet. Their recommendations are briefly summarized here. The Internet creates a new environment in which insurance products can be advertised, sold and delivered, but it does not alter the fundamental principles of insurance and insurance supervision. It is a new medium through which business can be transacted. The Association is concerned about substantial risks to consumers as the opportunities for fraud, money laundering and the wrong selling of insurance products have, no doubt, been considerably enhanced. The supervisors thus have an added responsibility to protect the consumers in their jurisdiction. The questions of applicability of a given contract law being applicable and the means of redress in case of a dispute are important issues that need to be settled. The Association suggests that that the supervisors must ensure that the sale, purchase, and delivery of insurance are conducted in a secure environment. The principles enunciated by them are: 192 e-finance
Consistency of Approach ‘The supervisory approach to insurance activities on the Internet should be consistent with that applied to insurance activities through other media.’ They go further and indicate the areas where supervisors must assert their authority over Internet activities: When an Internet site is targeted at residents and/or risks within the supervisor’s jurisdiction. When insurance activities are provided via the Internet site to residents in the supervisor’s jurisdiction. When information is presented to potential policy holders within the supervisor’s jurisdiction through proactive means.
Transparency and Disclosure Insurance supervisors should require insurers and intermediaries over which they exercise jurisdiction to ensure that the principles of transparency and disclosure applied to Internet insurance activities are equivalent to those applied to insurance activities through other media.
It is suggested that the insurer must disclose the address of the head office, the branch office, etc., as well as the jurisdiction in which the insurer can offer such services. It is also necessary that the procedure for the submission of claims and claim-handling procedures be indicated.
Effective Supervision Based on Cooperation ‘Supervisors should cooperate with one another, as necessary, in supervising insurance activities on the Internet.’ The regulation of Internet activities based purely on actions capable of being taken in a single jurisdiction is often inadequate. Therefore, a greater degree of cooperation between supervisors is a must. 193 regulatory issues
The Association takes note of operational risks and suggests a close scrutiny of the control mechanism by the insurer. A truly significant departure is the insistence on the need for the supervisors to observe transparency and their recommendations for disclosure of information, annual reports of the supervisory authority, links to other websites, relevant statistics, etc. They are quite right in suggesting that the supervisors should publish texts of relevant legislation on their websites. The approach is somewhat superficial and hesitant. Supervisors in banks have explored these matters in a much more detailed manner. Perhaps the conceptual debate about intervention and leaving it to the market is still not sufficiently tilted in favour of one or the other and hence the hesitation. These are sensitive areas and need a greater clarity of approach. It cannot be left to evolve over a period of time.
Regulating Banks There are many who scoff at the idea of any relatively inconsequential device (such as currencies like ‘Beeze’) morphing into a major competitor for the US$ or the Pound Sterling. However, the growing body of credit card users with ever-increasing drawing limits are now posing significant problems. Obviously, these cannot be overlooked as insignificant issues. Non-banks such as universities and transit systems already issue smart cards backed by the ability of the sponsor to pay. Put these or similar cards in an open environment where they are accepted as vehicles and a ‘new’ currency is available. Together with e-purses, these could provide a formidable area that needs to be controlled. There are rules around the world against fictitious instruments, but they are not applied to the area of electronic currency. There is a general apprehension that once instability sets in, it would be difficult and too late to remedy it. In fact, some European countries have allowed only banks to issue such currencies. Further, if and when banking functions are carried out by multiple uncoordinated financial and nonfinancial entities, who would strive to bring about the ‘sta194 e-finance
bility’ which is the bedrock of the system? It would not be wrong to say that sound currency and monetary control is more difficult to maintain in this new world of fragmented financial players and multiple currencies. Computers and telecommunication devices have enabled non-banking companies to simulate banking services that customers cannot differentiate between. The same forces will enable banks to simulate the functions of currency even though it is not considered legal tender. The only conclusion is that forces that could destabilize it need to be channelled appropriately. This brings us to the next question. Are smart cards and e-purses covered by deposit insurance? Perhaps we need to address the wider question of safety nets in the financial sector. Should these instruments be treated separately from other economic agents? In today’s world, many substitutes for banks’ deposit products have emerged and continue to do so. Alternate payment mechanisms have also developed. E-finance allows non-deposit-taking financial institutions and capital markets to reach far more depositors as well as borrowers. It would not be wrong to say that the whole gamut of a ‘safety net’ is in a melting pot. Such safety nets could even be extended to other non-deposit institutions. The need to address questions as to the structure and the wider question of currency guarantee would then arise. Obviously the question is related to the consumer protection issue. How do we protect the investors/depositors? Should we lay down minimum standards for institutions and self-regulatory agencies? Equally important is the problem of enforcement. How are these policies to be implemented, and by whom?
Smart/Debit Cards The RBI has issued specific guidelines (RBI circular FSC. BC.123/24.01.019/99–2000) to banks, which intend issuing these cards. The boards of banks are authorized to decide on issuing such cards and they have been asked to shoulder the responsibility for monitoring the operations. Banks are further advised to ensure safety of these cards. In fact, the losses 195 regulatory issues
incurred by customers on account of breach of security or its failure, would have to be borne by the banks. Banks also need to have in place an arrangement for twenty-four-hour notification of loss, theft etc., of the cards.
Competition Policy There is an acute need for global coordination. At this stage, the answers to the questions posed could well depend on certain value premises as well as the ground realities. Would free trade in financial services be the order of the day? It would logically be followed by an equally important question viz. Should it be so? Should there be free entry? Scale and scope economies would no longer be barriers to entry. Do we need to have a relook at concepts like markets/ competition? Perhaps the question could be narrowed down to decide on which payment services should fall under regulatory oversight, and which institutions should have access to the payment system. The other alternative is to define them narrowly and restrict access to deposit-taking institutions chartered by the regulator. These are important issues and need to be debated and discussed at a time when they have not yet assumed serious proportions. It is necessary to be ready to meet the contingencies when they arise. The more urgent questions regarding regulation of existing institutions and the ones entering the scene remain and need to be addressed. But that does not justify leaving futuristic issues untouched. A combination of prescriptive measures suggested by the BIS and examination techniques proposed by the FDIC are a good starting point. There is considerable unanimity about the proposals made and it is considered safe to adopt them. 196 e-finance
The existing risk management principles must be tailored, adapted and in some cases extended to address specific issues created by the peculiar characteristics of ebanking activities. The RBI could extend the policies enunciated in 1998 (RBI Circulars dealing with Asset/Liability Management and Risk Management: Nos. 1]DBOD no.BP.BC.94/21.04.098/98 and 2]DBOD.No.BP sc.BC.98/ 21.04.103/99)] and make it mandatory for banks broadly to adopt the suggestions made by the BIS in its report on ‘risk management principles for electronic banking, in consultation with the RBI. The BIS is quite right in asserting that setting detailed risk management requirements must not be counter productive. Each bank’s risk profile is different and requires a tailored approach for risk mitigation appropriate for the scale of e-banking operations, the materiality of risks present and the institute’s willingness and ability to manage the risks. This does imply that the one-size fits all approach to e-banking risk management may not be appropriate. Broadly, the risk management efforts fall into three groups: 1. Management Oversight: This essentially requires explicit, informed and documented strategic decisions, covering specific accountabilities, policies, and controls, to address risks. Key aspects of security control process must also be covered. 2. Security Controls: These should include appropriate control processes such as: (a) authorization measures; (b) authentication measures; (c) logical and physical controls; (d) adequate security to maintain appropriate boundaries; (e) restrictions on both internal and external user activities; (f) data integrity; and (g) audit trails. 3. Due Diligence: This includes comprehensive due diligence and management oversight processes for outsourcing relations and third party dependencies. Other security controls are: 197 regulatory issues
authentication of e-banking customers, non-repudiation and accountability for e-banking transactions, appropriate measures for segregation of duties, data integrity of e-banking transactions, records and information, establishment of clear audit trails for e-banking transactions, confidentiality of key banking transactions, legal and reputational risk management principles that include: • • • •
appropriate disclosures for e-banking services, privacy of customer information, capacity, business continuity, contingency planning to ensure availability of ebanking services, • indent response planning.
BIS Recommendations Against the backdrop of information, the committee has developed 14 key risk management principles and for the sake of easy reference they are given below: Management oversight, Management of outsourcing and third party dependencies, Segregation of duties, Proper authorization measures and controls, Clear audit trails, Authentication of all entities, counterparts, and data, Non-repudiation of e-banking transactions, Comprehensive security, Integrity of banking transactions, records and information, Appropriate disclosure for e-banking services, Confidentiality and privacy of customer information, Business continuity and contingency planning, Incident response planning, Role of supervisors. 198 e-finance
The suggestions made above need to be supplemented with a report prepared by the FDIC for bank examiners. Given below are the salient features of the suggestions made. The summarized version is in two parts. The standards represent performance objectives to ensure that banks operate smoothly and that the bank’s objectives are carried out. Associated risks represent potential threats because of the failure to adhere to such standards. The supervisors are advised to examine these areas to ensure that banks operate in a safe environment and that the institution’s objectives are carried out properly. The examiners must also ensure that the systems are used with clear strategic direction and with a comprehensive risk management programme. They are apprehensive that critical units may have been excluded from the planning process and that a proper evaluation of costs may not have been made. Further, they are worried that the systems would be such that customer demands are not adequately met. It is noteworthy that the supervisors are keen on ensuring that policies and procedures adequately address the impact on bank activities, operations, or security. It is recommended that adequate training and retraining of staff on proper controls and potential risks is undertaken. Obviously therefore, the need for standards for overall performance and systems operations to be established by the boards is a must. Further, internal and external auditors are advised to review alternate delivery systems. While the security of information systems is bound to attract the attention of the supervisors, such arrangements need to be critically examined under the microscope of the regulators. The FDIC has recommended the review of following features at the time of examination: planning and implementation, operating procedures and policies, audit, legal and regulatory matters, administration, outsourcing arrangements. 199 regulatory issues
A noteworthy feature is the recommendation that whenever required, experts may be called in to assist the supervisors. The examination manual is a public document and institutions can use it to guide them through the difficult transition phase. In the emerging scenario, it is essential for financial institutions, technology firms, auditors and regulators to work closely together in evolving appropriate solutions to safeguard the customer interests and those of the institutions, as well as of the system as a whole. The newer systems need to be nurtured in the initial stages with care.
200 e-finance
references Abrol, R.K. (1996). ‘Electronic Banking (E-Banking)’, IBA Bulletin, 18(1), Jan, Mumbai. Adavi, Ramesh (1996). ‘Networking the service branches’, IBA Bulletin, 18(1), Jan, pp. 104–105. Allen Helen, John Haqwkins and Setsuya Satol (2001). Electronic Trading and its implications for finalizing the systems, BIS Papers No. 7, BIS Basle. Anandlingam G. (2003). ‘Information Technology does matter’. The Economic Times, July 25, Mumbai. Andrews, David (1999). ‘Surviving in the Real world’, Banker (UK) 149(885), Nov, pp. 95–96 Arnoff. Andriole, Steve (2002). ‘A winning technology Strategy’, http:// itmanagement.earthweb.com/columns/bizalign/article.php/1009331, 1 April. Appel, M. Andrew, Amit Dhadwal and Wayne Epietraszek (2003). ‘More Bang for the IT buck’, Mckinsey Quarterly, No. 2, Mckinsey and Co. Inc. Arnoff, David L. (1999). ‘Credit Online: Banking in Cyberspace’, Business Credit, 101(9), Oct, pp. 18–19. Asian Banker Journal (2000). E-Savvy CEOs who are prepared to lead the way, Jan 31, pp. 20–21. Bachman, Timothy (2001). ‘Welcome back to the branch’, Bank Marketing, 33(1), Jan/Feb. Bank of Japan (2000). ‘The Importance of Information Security for Financial Institutions and Proposed Counter Measures: With a focus on Internet-based financial services’. Basle Committee on Banking Supervision (2001). ‘Risk Management Principles for Electronic Banking’, Bank for International Settlement, Basle.
201 references
Beans, Kathleen M. (2000). ‘Ask the right question in the “both/ and” world’. RMA Journal, 83(1), Aug, pp. 74–75. Blount, Ed (1999). ‘Rethinking the Framework’, ABA Banking Journal, 91(12), Dec, pp. 68–72. Brewer, Harold (2001). ‘E-Commerce and Community Banking’, Commercial Lending Review, 16(3), pp. 48–52. Brown Jonathon (2001). ‘Forex Ventures beyond the phone’, Euromoney, (385), pp. 81–84. Business India (July 21–August). ‘Changing Face of Banking’, Banking Supplement, New Delhi. Cane, Alan (1985). ‘Technology banking on an Electronic future’, Financial Times, June 3. Carr, Nicholas G. (2003). ‘IT Does’nt Matter’, Harvard Business Review, May. Carreker, J.D. (2000). ‘Banks and E-Commerce Transforming Old Economy Practices into New Economy Business’, Commercial Lending Review, 15(4). Fall, Carstensen, Brent, J. and Winter William D. ‘Marketing Electronic Banking Products and Services to Bank customers’, Bankers’ Magazine, 179(2), Mar/April, pp. 32–44. Christiansen Hans (2000). ‘Electronic Finance: Economic and Institutional Factors’, Financial Affairs Division—Occasional Paper No. 2, Nov, OECD. Clasessens Stijin, Thomas Glassener and Daniela Klingebiel (2001). E-Finance in Emerging Markets, ‘Is Leapfrogging possible?’, Financial Sector Discussion Paper No. 7, The World Bank, June. (2000). ‘Electronic Finance: Reshaping the World’, Financial Discussion Paper No. 4, The World Bank, Sept. Cline Kenneth (2000). ‘Sticky Proposition’, Banking Strategies, 76(1), Jan/Feb, pp. 32–34. Clinton Bill (2003). Towards Cooperation, Speech at Yale University, Oct 31, Yale. Cohen Stephen S., Bradford J., Delong and John Zyman (2000). Berkley Roundtable on the International Economy, University of California, Berkley. Committee on the Global Financial System (2001). ‘Report by a Working Group established by the Committee on the Global Financial System’, BIS, Basle.
202 references
Daniel Elizabeth, and Storey Chris (1997). On-line Banking Strategies and Management Challenges—Long Range Planning, 30(6), pp. 890–898, Published by Elsevier Science Ltd. De Young, Robert (2001). ‘The Financial Progress of Pure-Play internet Banks’, BIS Paper No. 7, BIS, Basle. Dickie Jim (2003). ‘CRM 2002—State of the market place’, Review, Marketing Mastermind, Jan. Drucker Peter (2002). ‘They are Not Employees Any More’, Indian Management, May. Duggal Pavan (2002). Spotlight on Asia [Cyber Crimes] The Economic Times, Sunday, Dec 8, Mumbai. E.T. Intelligence Group (2002). ‘Fighting a Common Enemy, ETIG’, Knowledge Forum, 10 Dec. Electronic Banking, Safety and Soundness Procedures, FDIC Division of Supervision. Elumalai, Dr K. (2001). ‘Legal Regulation of Cyber Crimes—Salient Features of Information Technology Act 2000’, Paper presented at the Conference on Cyber Laws and Legal Education organized by Nalsar University of Law, Hyderabad. Farrel Diana, Terra Terwilliger and Allen P. Webb (2003). ‘Getting it spending right this time’, Mckinsey Quarterly, No. 2. FDIC (2000). Security Monitoring of Computer N, FDIC, Financial Institutions Letter, Oct. (2002). Digital Signature, Deployment Issues, FDIC bulletin, on Digital Signatures, July. Ferrash, Edward (1999–2000). ‘The last world: been Ztm??? Yes, beenz’, Journal of Lending and Credit Risk Management, Dec–Jan. FT IT Review (2003). ‘A focus on Mobile Working—What it means for you and your Boss’, Financial Times, 29 Oct, London. Gandy Anthony (1996). ‘Competing in the electronic marketplace’, Chartered Banker, 2[10] October. Gates Bill (1995). ‘No Company’s Future is Guaranteed’, Economic Times Interview, The Economic Times, 12 Dec, Mumbai. (1997). ‘The Future is Now: I am a big believer’, The Bill Gates Chatmode, The Economic Times, 5 March, Mumbai. Gillis, M. Arthur (2000). ‘In-House or Outsource? Still a popular Question’, ABA-Banking Journal, June, pp. 51–56. Goldfinger, Charles (2000). Intangible Economy and Financial Markets, Preliminary Exploration Contribution to IDATE Conference “NEW Economy”, November 15. 203 references
Gosling Paul (2002). ‘Financial Services in the Digital Age’, The Bowerdon Publishing Company, London. Government of India (2000). The Information Technology Act, 2000, New Delhi. Greenspan Alan (1998). The Structure of the International Financial System, Speech at the Annual Meeting of the Securities Industry Association, Boca Raton, 5 Nov, Florida, USA. Gurumurthy, N. (2001). ‘My vision of SBI in 2010’, SBI Monthly Review, Oct 2001. Haldipur, Rajesh (1998). ‘The new Face of Retail Banking’, Indian Management, 37(11) November, pp. 19–27. Heath, Ray (1999). ‘Cashing out’, Banking World Hongkong, (68), Aug, pp. 8–10. Hirst, David (2000). ‘Rewriting the Rule book’, Banker (UK), 149(883), Sept 1999, pp. 72–73. Ho, Andy (1999). ‘Playing with the big boys’, Banking Technology, 15(6), Jul/Aug, pp. 32–34. Horsefield, Richard (2000). ‘Shaping the future of online financial services’, Banker (UK), 150(887), pp. 26–28. Ignotius, George (1997). ‘Internet banking—Inviting virtual holdups?’, Dataquest, 15(18), Sept 30, pp. 143–146. International Association of Insurance Supervisors (2002). Risks to Insurerers Posed by Electronic Commerce, IAAS Issue Paper approved in Santiago de Chile on Oct 2002. Johnstton, Lawrence (2000). ‘Finger on the pulse’, Banking Technology, 17(2), March, pp. 30–33. (2001). ‘Defence in Depth’, Banking Technology, 17(2), March, pp. 30–33. Jud Elizabeth (2000). ‘Leap of faith’, Banking Strategies, 76(3), May/ June, pp. 36–40, 46. (2000). ‘Marketing: Serving the Senoirs online’, Banking Strategies, 76(6), Nov/Dec, pp. 24–30. (2000). Retail banking: the B2E connection, Banking Strategies, 76(6), Nov/Dec, pp. 6–10. Karandikar, S.K. (2000). ‘E-Commerce and Banking’, IBA bulletin, 21(3), Mar, pp. 26–32. Kates Geoff (2001). ‘Back to Basics’, Banking Technology, Vol 18(3). Keeton, William R. (2001). The transformation of banking and its impact on consumers and small businesses, Federal Reserve Bank of Kansas City, Economic Review, 86(1) First Quarter, pp. 25–53. 204 references
Kish, John (2000). ‘Before your customers leave—trend of high attrition rates?’, Bank Marketing, Dec, pp. 30–35, 32(12). Knaapschaefer Johnna (2000). ‘Banking on Customer Focus’, Marketing Mastermind, August. Lihui Lin, Xianjan Geng and Andrews Whinstol (2000). ‘A new perspective to finance and competition and challenges for financial insttitutions in the internet era’, BIS Paper No. 7, BIS, Basle. Lim, Cindy (2000). ‘We will build it and they will come’, Asian Banker Journal, (21) April 15, pp. 13–15. Lomax, Victoria (2000). ‘Checkmate’, Banking Technology, 17(7) Sept, pp. 36–40. (2000). ‘Small Change’, Banking Technology, 17(6), Jul–Aug, pp. 28–32. Lordon, James. ‘F-Flops hold lessons for Electronic Bankers’, ABA, Banking Journal, 81(1), pp. 40–44. Lucas, Louise (1998). ‘Whispers in the Future’, Banking Technology, 15(6), Jul/Aug, pp. 48–50. Luke, Rob (2001). ‘Joint Effort?’, Banking Strategies, 77(1), Jan/Feb, pp. 37–42. May A. Thorton (1997). ‘Electronic Commerce: Three truths for IS, Leadership Series, Computer World, April. McAfee Andrew (2003). ‘When Too much Knowledge is a Dangerous Thing’, MIT Sloan Mgmt Review, Winter. McCarthy, Paul (2001). ‘The future is mobile’, Banker (UK), 151(899), Jan, pp. 118–119. McCorninik Joel (1999). ‘Going with the Flow’, Banking World, (63), March, Hongkong. (1997). ‘Technology: securing the lines’, Banking World Hongkong, (42) June, pp. 24–25. Mckenzie, Heather (2000–2001). Delusions of Grandeur, Banking Technology, 17(10), Dec–Jan. Mercer, Don (1998). ‘Doing Business in a borderless world’, Payment Systems Worldwide, 9(2), Summer, pp. 30–32. Mike, M.W. (2001). ‘The Shopper stopper’, ABA Bank Marketing, 33(80), Oct, pp. 38–41. Milton, Dan (1996). ‘More bang for the bank’, Dataquest, 14(12), June 30, pp. 68–71. Mishra, K.C. (1999). The fifth channel of banking: Internet Banking, State Bank of India Monthly Review, 38(7), July, pp. 1028–1035. 205 references
Nadler, Paul S. (2000). ‘Fact and Fiction in Internet banking’, Secured Lender (USA), 56(3), May/June, pp. 44–48. Narayana (Justice) P.S. (2002). ‘Cyber World—New challenges’, Lecture Delivered at University of Hyderabad on 23 May. National Stock Exchange of India Ltd. (2001). ‘CTCL/Internet Based Trading Facility, Circular No. NSE/F&O?2788’, Aug 17, Mumbai. (2000). ‘Internet Based trading Services, Circular No. NSE/ F7O/1877’, 24 August. Nayak, Gayatri (2002). ‘When Small is Big’, The Economic Times, 7 August, Mumbai. Norton, Mike (1999). Any Portal in a storm, Banking Technology, 16(5), June, pp. 36–42. Orr Bill (2001). ‘E-Banking: What next?’, ABA banking Journal, 93(12), Dec. (2000). ‘Financial Portals are hot but for whom?’, ABA Banking Journal, 92(7), July, pp. 53–60. Outlook (2003). ‘Indian banks coming of Age’, 28 July, Delhi. Padwal, S.M. (2000). ‘The role of security standards in payment system design’, Payment Systems Worldwide, 11(2). Pitawalla, Yasir A. (2000). ‘Right Product Mix’, The Economic Times, 20 March, Mumbai. Porter, Michael E. (1985). Competitive Advantages Creating and Sustaining Superior Performance. New York: The Free Press. Powers, Robert (1998). ‘Building a Website that Works: Here’s is How’, Journal of Lending and Credit Risk Management, 80(10), June, pp. 20–23. Reserve Bank of India (1999–2000). ‘Off-Site Monitoring and Surveillance Systems in Select Countries’, Report on Trend and Progress of Banking in India, Mumbai. Guidelines for the issue of Smart/Debit Cards by Banks, Circular No. FSC.BC.123?24.01.019/99-2000, RBI, Mumbai. Roberson, Mark S. (1989). ‘The Role of Technology in a changing banking industry’, World of banking, 8(6), Nov–Dec, pp. 18–21. Rutberg, Sydney (2000). ‘Five Year Outlook for the Commercial Finance industry: the majors speak of growth, change and opportunity’, Secured lender (USA), 56(3) May/June. Santomero, Anthony M. (1997). Commercial Bank Risk Management: An Analysis of the Process, Finacial Institutions Centre, The Wharton School, University of Pennsylvania, February 28. 206 references
Schutzer, Daniel (1998). ‘The Role of Public Key Cryptography, Digital Signatures, and Digital Certificates in Electronic Commerce’, The Journal of Lending and Credit Risk Management, June. Srinivasan, Aruna (2002). ‘A new spin on the Web’, The Economic Times, 16 June, Mumbai. Stoneman Bill (2000). ‘The Message, not the medium’, Banking Strategies, 76(2), March/April, pp. 6–10. The Banker (2000). ‘Caring for E-Clients’, (UK), 150(98), Supplement, Dec, pp. 1–22. The Bankers’ Book of Evidence Act 1891, Government of India, New Delhi. The Banking Technology (2000). Client Relationship Management Report, Informa Professional Publishing, London. The Economist (2001). ‘The Internet Untethered, October 13, London. The Guardian (2003). ‘Business Solutions, Smart Business for SMEs’, October, London. The New York Times (2002). Internet Untethered, The New York Times, Aug, New York. Vasudevan, A. (1998). Committee on Technology Upgradation, RBI, Mumbai. Wahrenburgl (2001). ‘Trading System Competition and Market-maker competition’, BIS Paper No. 7, BIS, Basle, March. Wates, Richard (2003). ‘Corporate Computing tries to find a new path’, FT Special Report, IT Review, Financial Times, June 4, London.
207 references
index ABN Amro, 3, 27, 51 access control techniques, 142–43; password and personal identification number (PIN), 143; tokens and smart cards, 144–45 access devices, accessibility, 25, 33, 36, 106 account monitoring and management services, 86 accountability, 105, 111, 125 Action International, 50 Adleman, Leonard, 148 administration, 111 advertisement, advertising, 11, 32, 37, 94; costs, 62, 72 affordability, 105 Africa Online, 21 aggregation, 38, 63 aggression, 39 alternate payment mechanisms, 195 Alternating Trading Systems (ATS), 184–92 Amazon.com, 100, 147–48 America On Line (AOL), 34 Anderson Consulting, 3 anytime, anywhere banking, 32, 45, 71 Application Programming Interface, 40
application service providers (ASPs), 69–70 Arizona Exchange, 187 asset liability management, 48, 72 asymmetric key encryption, 147–48 ATM, See Automated Teller Machines auction trading platforms, 66 authentication, 172, 197, 198 authorization measures and controls, 126, 140, 149 automated execution process, 185, 186 automated real-time decisionmaking tools, 90 automated scanning, tools, 153 automated trade execution, 50, 54, 184 Automated Teller Machines (ATMs), 20, 25, 27, 71, 77, 80, 103 automation, 70, 84, 100 awareness and acceptability factor in e-trading, 59 back-up system, 41 balance confirmation, 48
208 index
balance sheet, 24 balancing technology, 59 Bangladesh Gramin Bank, 21, 49 banks and financial institutions, banking organizations, 11, 153; complex core banking solutions, 20; and customer, interaction, 104; cyber crimes, 138; hierarchical structure, 99; intranets to shift information, 104; marketing, 94, 97–98, 101– 3, 106; network security, 140–1, 153; potential threats, 116–18; regulation, 100, 195; risks, 111–23;— preventive measures, 112– 13; systems, unauthorized access, 116;—technology for, 119–23; websites, 70–1; See also e-banking Bank for International Settlement (BIS), 89, 134, 196; recommendations, 124–26 Bank of America, 51 Bankers’ Book of Evidence Act, 1891, 137, 167, 169, 181–83 Barclays Bank, 38, 71 Barings Bank, 124, 189 behavioural information, 104 Bharati, 19 Bills of Entry, 49 biometric authentication techniques, 145 Black Hat Briefing, 156 Bluetooth, 160 Bolero.net, 49 ‘bookstore effect’, 96 Bourdreace, Donald, 98
brand, brand management, 5, 52, 60, 69, 78, 96, 105 ‘brick and click’ banking, 79, 94, 99, 102 brokerage, brokers, 39, 52, 66, 131, 185–86, 190; commission, 44, 96; on-line, communication with investors, 189; and trading platforms, distinction, 57 business to business (B2B), 4, 13, 19, 83–87 business and small customer, relationship, 71 business to consumer (B2C), 13, 48 capacity utilization, 9 capital adequacy norms, 44, 87 Carnegie Mellon Software Engineering Institute Network Systems Survivability Programme, 154 Carr, Nicholas, 9 cash management, 88 cash-flow risk, 121 CERT, 154 Chase Manhattan Corporation, 51, 98 Citibank, 20, 27, 51, 142 Civil Procedure Code, 167 client server architecture, 8 Code Division Multiple Access/Time Division Multiple Access/Global System for Mobile Communication (CDMA/TDMA/ GSM), 155 commercial arbitration, 169, 185
209 index
communication, 37, 132, 169; non-verbal, 93 competencies, 30 competition, 1, 31, 36, 42, 44, 48, 69, 76, 80, 84, 91, 96, 97, 109, 185; policy, 23, 196– 200; strategic considerations, 77 competitive advantage, 8, 10 competitive pressure, See competition computer(s), computer technology, network, 20, 54, 80, 168, 184, 195; based accounting packages, 51; computerized cash management, 142; crimes, 132–35, 137, 139; literacy in rural areas, 23; output, 176–78; security products, 115; vulnerabilities, 149 Conference of European Posts and Telegraphs (CEPT), 158 confidentiality, 114, 141, 156, 190, 198 configuration issues, 157 connectivity and computing power, 12 consolidation, 38, 84 consumer, See customer contingency planning, 42, 111, 126, 165, 198 contract aspect of cyber laws, 167, 170–1 contract formation, framework, 22 contractual liabilities, 164 cooperation, 193–95 copyrights for software programmes, 171 corporate system, 9
costs, 42, 103; effectiveness, 43, 98; escalations, 40–1; reductions, 44, 73;—by Internet, 86 crackers, 132, 133, 134 credit, 48, 109; letter through electronic means, 66–67; rating, 51;—agencies, 89; risks, 26, 121 Credit Suisse, 122 Criminal Procedure Code, 167 cross selling products, 90, 108 cross-matching systems, 66 cryptographically strong pseudo-random number generators (CSPRNGs), 149 cryptography and cryptographic tools, 134, 146–50, 152, 159 customer, 15, 23, 25, 36; authentication, 125, 140–4; awareness, 59; and bank, interaction, 104–5; choice, 46; equations, 84; expectations, 78; habits, 37; identity, 129; information, privacy, 126, 198; information systems, 100; knowledge/education, 39, 106, 127; needs, 106; network, 55; profile, change, 1; relationship, 46, 100, 141; reliability, 140–1; resistance, 72, 101; retention, 25–26, 98, 99; satisfaction, 93; service, 53, 77–78, 94, 103– 5;—indifference towards, 69 customer relationship management (CRM), 90, 105, 107 customization, customized services, 25, 43, 91, 98, 99, 105
210 index
cyber crimes, types, 132–34; effect, 135; enforcement problems, 136–38 cyber space, 132, 168 CyonicTM technology, 144 data integrity, 126, 172, 197, 198 data mining techniques, 26 data security, 127 data systems, incompatibility, 129 dealers, 185, 186 debit card, 48 demand and supply factors, 26 denial of service (DoS), 117, 132, 156 deregulation, 1, 68 dial-up systems, 102 differential interest rate (DIR), 49 digital signatures, 147, 172– 73, 174–76, 178–80 direct access trading, 61 Disaster Recovery Centre (DRC), 42 dissent, 19, 122 dot com industries, failures, 3 downsizing, 84 Drucker model of e-banking, 72 due diligence, 125, 173, 197 e-banking, e-banking systems and services, 2–3, 5, 13, 25, 40, 45, 48–50, 68–69, 124–31, 197–98; advisory services through branches, 90–1; communication in branches, 80; non-repudiation, 126, 141;
out-sourced, network security, 162–63; payment services, 91–92; planning and development, 81; products and services, 82–87; retail banking, 87–92; risk management, 125, 134–35, 163, 166; security and identity issue, 86, 91; systems architecture, 80–1; transactions, confidentiality, 126 E-broking, 13, 58, 60 e-commerce, 24, 83, 127–28, 129, 132, 136; cyber laws, 167–83 ‘e-commerce Czars’, 34 e-mail, 18, 31 e-mail bombing, 133 e-money, 47–8 e-procurement, 51–53, 85, 88 e-programmes, 79 e-security in the case of Wireless Networks, 155 economic rationale, changing, 30–4 economies of scales, 5, 31, 55 96, 196 Edelweiss Capital, 16 electronic clearing system (ECS), 86 Electronic Communications Network (ECN), 61 electronic copyrights, 171 Electronic Data Processing (EDP), 80 electronic data interchange, 80 electronic dissemination of bid/offer, 54 electronic documents, security, 129 Electronic Funds Transfer (EFT), 86
211 index
electronic messages, 180 electronic order routing, 54 electronic records, 179–81; admissibility, 176–78; oral admission, 175 electronic service delivery, 141 electronic systems, risks, 112 employee education, 114 enabling services and their importance, 22–23 encryption mechanism, 41, 42, 131, 144, 147, 156, 172 ‘emoticons’, 93 entry costs, 62 equity markets, 61, 96 Ethernet LANs, 155, 156 e-trading, 50, 125; in equity markets, 50; fixed income securities, 66; in foreign exchange, 65; global developments, 57; impact on market mechanism, 62–65; Indian scenario, 58–60; margin trading, 64–65; market developments, 57–58; models, 66–67; operational cycle, 60–2; risk profile, 63–64 Euro, emergence of, 58 Euronet, 20 Europe: regulatory system, 187 European Commission (EC), 155, 188 European Dependability Initiative, 155 evidence aspect, 167, 174–83; See also Bankers’ Book of Evidence Act, 1891, Indian Evidence Act, 1872 exchange and brokers, 185–91 exchange intermediaries, changing role, 55–57
exponential progression mode, 97 factoring and leasing, 49–50 federal reserve, 11 feedback, 100 file transfer protocol (FTP), 151 financial market experimentation, 63 financial planning tools, 52 financial service providers, 34 financial services, 44, 48–49 financial system laws, 22 firewall system, 41, 115, 131, 152 fixed assets expenses/gross profit, 24 fixed income securities, etrading, 66 flexibility, 78 foreign exchange transactions, 69, 191–92; e-trading, 65 fragmentation and disintermediation, 187 functional equivalent approach, 168–70 Gartner Group, 172 General Packet Radio Service (GPRS), 160 geographic reach, 111 geography-centred models banking, 79 Geojit, 59 Germany: stock exchange, 187 Global coordination, 196 global developments, 57–62 grievance redressal, 108 Group Special Mobile (GSM), 155, 158–9; security solutions, 161–62; vulnerabilities, 159– 61 growth, 30–1, 56
212 index
HSBC, 27 hacking, hackers, 117, 132, 133, 139 Handheld Device Markup Language (HDML), 161 HDFC, 1, 25, 27, 69 housing finance, 48 human interface, 102, 104 human touch, 108 ICICI Bank, 1, 20, 25, 27, 48, 51 IEEE 802.11b, 155–57, 161 image development, 99 increasing economy value, 31 Indian Banks Association (IBA), 86 Indian Evidence Act, 1872, 169, 174–81 Indian Penal Code, 1860, 170 indispensability, 31 Industrial Development Bank of India (IDBI), 20 industrial economy, 9 industrial espionage, 132 industrial management, 72 Industrial Revolution, 12, 30 INFINET, 20 ‘infinite regress’, 96 information, information systems, 93, 96, 103–4, 173; access, 39; asymmetry, 97; confidentiality, 81; delivery, 38; exchange, 49; freedom, 52; infrastructure, 99; integrity, 140; management, 77; presentation, 36; protection, 162; reliability, 140; risk and vulnerabilities, 114, 118; and services, personalization, 26; security, 113, 116;—effective-
ness, 115; sharing network, 153; storage, 169 information technology system, 7–13, 93 Information Technology Act 2000, 169, 171, 174–81 Infotech, 72 infrastructure technology, 9 innovation, 3, 10, 25, 31, 56 innovative economy, 12 inquiry-based systems, 66 Institute for Development Research in Banking Technology (IDRBT), 86 insurance sector, 86, 124–31; conduct of business risks, 129–30; connectivity risks, 129; data security risks, 129; internet strategy, risk, 126; operational risks, 128; regulating, 192–200; risk management, 131; strategic risks, 127–28; transaction risks, 128 intangibles, marketing for, 95– 97 integrated systems, 9 intellectual property aspect, 133, 167, 171; patents and rights, 96, 138 intelligence information, 153 inter-departmental conflicts, 72 interest risk, 121 inter-judicial issues, 187 intermediaries, 50, 104 International Association of Insurance Supervisors, 126, 192 International Business Machines (IBM), 160
213 index
International Chamber of Commerce, 66 international trade law, 168– 69 internet, 3, 7, 8, 33–37, 39, 44, 45, 48, 52, 78, 83, 84, 86, 88–89, 96, 103–4, 132, 140, 171, 190, 192–93; banking, 40, 68, 72, 76, 101; based trading systems, 130; connectivity, 23; recent trends, 4–7; risk associated with, 111; usage in India, 15–21;—exposure by age, 18;—by SEC, 18–19; for underdeveloped countries, 21–22 Internet channel information, 39 Internet Protocol (IP), 160; spoofing, 117 internet service providers, 19 internet-only business model, 75 intrusion and compromise, risks, 154 intrusion detection systems (IDSs), 113, 149, 152–54 investment risk management, 122 investor protection, 23, 184 IRS 2000, 16 Japan: mobile phones and hand-held devices, 5, 20 joint ventures, 66
liquidity, 62, 109, 189 local area networks (LANs), 155–56 LoftCrack, 143 malicious code viruses, 132 management oversight, 125, 197, 198 Manager’s Laptop, 156–57 manpower budget, 41 margin trading, 64–65 market, marketing, 2, 10, 72, 77; architecture, 62–65; developments, 57–58; infrastructure, 22; integration with business planning, 97–99; objectives, 99–106; quality, 62; strategies, review, 107–8; structure, 184–85; turbulence, 108 mass reach and security, 102 max-e-marketing, 104 mechanization, 20 Message Authentication Codes, 147 micro loan-processing software, 50 micro-finance institutions, 50 Microsoft, 38, 48 mobile telephones, 5, 20, 36, 38 monitoring systems, 154 Morgan Stanley, 122 multi-channel distribution, 33, 71 multiple-dealer systems, 62 multiple payment systems, 85
knowledge economy, 12 laissez faire, 188 liberalization process, 1, 68
NASDAQ, 187 Nasscom, 16; survey 2002– 2003, 19–21 214 index
Nat West, 38 National Securities Association, 185 National Stock Exchange (NSE), 58, 191 network, networking, 153; economy, 30–32; future, 104–5; management, 102; marketing, 106; profit equity, 24; unauthorized access, 112 network security: asymmetric key encryption, 147–48; control devices, 142–50; data transmission reliability, 146–47; data transmission reliability, 146–47; European Cellular Standard: GSM, 158–62; failures, types, 140–2; incident response, 152–54; losses due to breaches, 139; malicious attacks, 145–46; managerial checklist, 150– 66; policy, 152, 158; random numbers, 147, 148–50; reason, 134–36; survivable system development, 154– 55; war driving, 157–58; worms and viruses, 145–46 new product development, 24 New York Stock Exchange, 187 non interest expenses/gross profit, 24 non-deposit institutions, 195 non-repudiation, 125, 141, 143, 172, 198 off-exchange market, 61 on-line brokerage, 4, 22, 25; communication, 60
on-line client acquisition, 33 on-line connectivity, 69 on-line customers, 53, 77, 83, 98 on-line payment systems, 47 on-line securities trading, 40, 66, 86, 191 on-line value chain, 36–43 on-line vendors, 33 operational costs, 55 operational efficiency, 80, 98 operational risks, 23, 63–64, 121, 194 order driven systems, 61 order flow, 61 Organization for Economic Cooperation and Development (OECD), 4 organization’s preparedness, 27 organizational change, 34 organizational integration, 154 organizational response, 2–3 out-sourcing, 43, 84, 105, 111, 126, 164–65, 197, 199 ownership, 66 PC-based networks, 25, 36, 155 participation costs, 56 passwords, 131; sniffing and theft, 117, 133 patent systems, 148, 171 penetrating testing, 152 penetration testing, 149–50 Personal Digital Assistants (PDAs), 20, 155, 157 Personal Identification Number (PIN), 142, 143 personal relationships, 83–84 personalization and push, 26 Pla Net Finance, 50
215 index
planning and implementation, 78, 81, 199 poaching, 77 policies issues, 1 politics and rivalries, 35 portals, 33–34, 39, 190–1 post trade information, 54 presentation graphical mode, 37 price(s), pricing, 72, 76; consciousness, 106; decisions, 81; and transactional mechanism, 96 privacy and confidentiality, 190 private banks, 69 process: change management, 42; elements, 33, 91; restriction, 141; speed, 127; value chain, 39 products and services, 57 productivity, 10 professionalism, 106 profitability, 72, 75, 78, 99 proprietary architecture, 8, 10 Proprietary Trading Systems (PTS), 186–87 pseudo-random number generators (PRNGs), 149 public key infrastructure (PKI), 22, 86, 151, 172 quality and price, relation, 31 quote driven systems, 61 radio frequency (RF) technology, 155 random numbers, 147, 148–50 real-time gross settlement system, 86 record-keeping tools, 122
record retention requirements, 130 reliability, 46, 83, 169 Reliance, 72 reputation risk, 121 Reserve Bank of India (RBI), 89, 109, 195; ACT, 1934, 167, 169, 183 retrenchment, 103 return on investment, 99 return on IT investment, 7–13 Reuters, 61 96 risk, 62, 63–64, 67, 76, 199; analysis, assessment, 109, 113–14, 163; and determining vulnerabilities, 114–16 risk management, 5, 42, 56, 60, 72, 89, 91, 109–21, 125, 127, 163, 197–98; analytical tools, 122–23; technology, 119–23, 130 Rivest, Ron, 148 rural/urban divide, 23 SYN Flood, 117 sales, service customer care, integration, 105 Satyam, 19 scalability, 55 scarcity, 30 Scare Socket Layer (SSL), 147– 48, 161 scepticism, 75 ‘screen scraping’, 39 security, security aspect, 26, 39, 67, 102, 167, 172–73, 185; awareness training, 153; control, 125–26, 197; in e-banking, 86, 91; policy, 41, 112–13; in etrading, 60
216 index
Securities Exchange Board of India (SEBI), 58, 130–1, 191 service attacks, denial, 153 services, marketing, 1 Shamir, Adi, 148 share trading, 55 shareholder, 77 Short Message Services (SMS), 160 ‘silo’ approach, 189 SIM Card, see Subscriber Identification Module Simple Network Management Protocol (SNMP), 151 sincerity, 107 Singapore: United Overseas Bank (UOB), 81, 82 small and medium enterprises (SMEs), 88–89 smart/debit cards, 47, 152, 195–96 sniffing, 134 social engineering, 117, 134 social structure, 12 socio-commercial policy, 167 software piracy, 133 software projects, multinational, 8 ‘Solo’ electronic delivery system, 80 South Africa: Standard Bank, 49 spoofing, 117, 133 stagnation, 31 Stanchart, 20 stand-alone e-banking, 71–81 State Bank of India (SBI), 20, 51, 88 stealers, 133 strategic factors, 24–25, 30 Subscriber Identification Module (SIM Card), 159
suitability, 60 supplier–consumer relationship, 96–97 Switch, 20 systems, administration, 111; architecture, 112, 114; construction, 184; design and capability, 81; integration, 40, 187; reclassification, 185; security, 111; structure, 91; unauthorized access, 116–17; vulnerability, 116–17 technology, technological, 2, 37; advance, 167; applications, 185; appropriateness, 42; and business strategy, 79; capabilities, 81; change, 69; compatibility, 27; costs, 81; developments, 169; under investment, 10 technology-based effect, 73 technology-scale effect, 73 tele-banking, 20 telecommunications, 97; and ebanking, 80; infrastructure, 21; regulatory framework, 22, 23 telephone grievance redressal systems, 60 telephone trading, 54 television, 36, 38 third generation wireless (3G), 155 Thomas, Dave, 157 trading, trading systems, 5, 8, 185; alternative systems, 130–1; costs, 62; protocols, 62; risks, e-finance and, 21
217 index
transaction processing, 38, 111; cost, 27, 103; information, 39; speed, 111 transformation mechanism, 1, 9, 12, 27, 34, 72; effect on marketing, theory and practice, 93 transition , 63; difficulties, 1–2 transparency, 62, 65, 67, 193 Transport Control Protocol/ Internet Protocol (TCP/IP), 157 treasury management, 27 Trojan horses, 117–18, 145–46 trust and confidence, 46, 91, 173 UNCITRAL, Model law, 168– 69, 174 Uniform Customer Procedure (UCP), 66, 67 Union Bank of Finland (UBF), 80 United Nations Commission for Contracts for International Sale of Goods, 169 United Nations Commission on International Trade Law, 136 United Nations General Assembly UNGA, 170 United States of America: ESignature Act, 2001, 172; Federal Bureau of Investigation (FBI), 139, 157; Federal Deposit Insurance Corporation (FDIC), 112, 125, 196, 199; National Infrastructure Protection Centre (NIPC), 155; PC-based connectivity model, 5; Securities and
Exchange Commission (SEC), 55, 184, 186, 187 urban-cooperative banks, 20 urbanization, 106 usage relationship profitability, 82–83 User Acceptance Testing (UAT), 42 user anonymity, 111 user interface, 80, 102 value creation, 26 value-added services, 56, 57, 86, 93 vendor marketing, 173 vendors safety, 26 virtual private networks (VPN), 149, 162 viruses, virus attacks, 118, 134, 145–46, 153 vision, 27 voluntary retirement schemes (VRS), 44 vulnerability assessment tools, 112–13 web, website, 31, 33, 39, 41; establishment, 36–38; personalization and easy access, 99–100 ‘weights’, 22 Wells Fargo, 84 WEP encryption, 156 Wide Area Network (WAN), 162 Wireless Application Protocol (WAP), 160–61 wireless communication devices, 33 Wireless Equivalent Protocol (WEP), 156
218 index
Wireless Mark-up Language (WML), 161 Wireless Networks (WLANs), 155–57 Wireless Transport Layer Security (WTLS), 161 work culture, 72 World Bank, 22, 44
World Wide Web, 93 Worldwide Interbank Financial Telecommunications, 49 XML, 79 Yahoo, 34, 48
219 index
about the author V.C. Joshi is a Pune based consultant in the area of finance and banking. He retired as the General Manager, Bank of India, and served as the Chief Manager of the Bank’s UK and European operations. He subsequently served as the Director of the National Insurance Academy, Pune, and did a great deal to shape the institution. He has a Masters degree in Political Science from Mumbai, read for the Tripos in Economics at Cambridge University and has a Masters degree from that University. He was nominated for advanced training courses at the Indian Institute of Management, Ahmedabad, the Administrative Staff College of India, Hyderabad, and the National and Westminister Bank, UK. V.C. Joshi has served on important committees and on the boards of several organizations. He was chairman, Indian Banks’ Association, London, and has undertaken consultancy work for banks and insurance companies. He worked as a consultant in India with Price Waterhouse and has been guest faculty at various institutions, including the Banker’s Training College (RBI), and the National Institute of Bank Management. Mr Joshi is the author of several books and numerous articles in the areas of banking and finance, including Managing Indian Banks—The Challenges Ahead (second edition), published by Response Books.
220 e-finance