Report on Internet Banking Prapaared by Praasant Kumar Sahu

7/31/2019 Report on Internet Banking Prapaared by Praasant Kumar Sahu

1/77

Report on Internet Banking

Chapter-1- Introduction

Chapter-2- Internet Banking - a new medium

Chapter-3 - International experience

Chapter -4 -The Indian Scenario

Chapter- 5- Types of risks associated with Internet banking

Chapter- 6- Technology and Security Standards for Internet Banking

Chapter -7 - Legal Issues involved in Internet Banking

Chapter- 8- Regulatory and supervisory concerns

Chapter-9 Recommendations

Annexure-1

Annexure -2

Annexure-3

Annexure-4

Annexure-5


2/77

Chapter1Introduction

1.1Background1.1.1Banks have traditionally been in the forefront of harnessing technology toimprove their products, services and efficiency. They have, over a long time, beenusing electronic and telecommunication networks for delivering a wide range ofvalue added products and services. The delivery channels include direct dialupconnections, private networks, public networks etc and the devices includetelephone, Personal Computers including the Automated Teller Machines, etc.With the popularity of PCs, easy access to Internet and World Wide Web (WWW),Internet is increasingly used by banks as a channel for receiving instructions anddelivering their products and services to their customers. This form of banking isgenerally referred to as Internet Banking, although the range of products andservices offered by different banks vary widely both in their content andsophistication.1.1.2Broadly, the levels of banking services offered through INTERNET can becategorized in to three types: (i) The Basic Level Service is the banks websites whichdisseminateinformation on different products and services offered to customers andmembers of public in general. It may receive and reply to customers queriesthrough e-mail, (ii) Inthe next level are Simple Transactional Websites which allowcustomers to submit theirinstructions, applications for different services, queries ontheir account balances, etc,but do not permit any fund-based transactions on their

accounts, (iii) The third level of Internet banking services are offered by FullyTransactional Websites which allow thecustomers to operate on their accounts fortransfer of funds, payment of different bills,subscribing to other products of thebank and to transact purchase and sale of securities, etc. The above forms ofInternet banking services are offered by traditionalbanks, as an additional methodof serving the customer or by new banks, who deliverbanking services primarilythrough Internet or other electronic delivery channels as thevalue added services.Some of these banks are known as virtual banks or Internet-only banks and maynot have any physical presence in a country despite offeringdifferent banking services.1.1.3From the perspective of banking products and services beingoffered through Internet,Internet banking is nothing more than traditional bankingservices delivered through anelectronic communication backbone, viz, Internet.But, in the process it has thrownopen issues which have ramifications beyond what a newdelivery channel wouldnormally envisage and, hence, has compelled regulators worldover to take note of thisemerging channel. Some of the distinctive features of i-banking are:


3/77

1.It removes the traditional geographical barriers as it could reach out tocustomersof different countries / legal jurisdiction. This has raised the question of

jurisdictionof law / supervisory system to which such transactions should besubjected,2.It has added a new dimension to different kinds of risks traditionally associatedwithbanking, heightening some of them and throwing new risk control challenges,3.Security of banking transactions, validity ofelectronic contract, customersprivacy,etc., which have all along been concerns of both bankers and supervisorshaveassumed different dimensions given that Internet is a public domain, notsubject tocontrol by any single authority or group of users,4.It poses a strategic risk of loss of business to those banks who do not respondintime, to this new technology, being the efficient and cost effective deliverymechanism of banking services,5.A new form of competition has emerged both from the existing players and

newplayers of the market who are not strictly banks.1.1.4The Regulatory and Supervisory concerns in i-banking arise mainly out ofthedistinctive features outlined above. These concerns can be broadly addressedunderthree broad categories, viz, (i) Legal and regulatory issues, (ii) Security andtechnologyissues and (iii) Supervisory and operational issues. Legal issues coverthose relating tothe jurisdiction of law, validity of electronic contract including thequestion of repudiation, gaps in the legal / regulatory environment for electroniccommerce. On thequestion of jurisdiction the issue is whether to apply the law ofthe area where access toInternet has been made or where the transaction has finallytaken place. Allied to this isthe question where the income has been generated andwho should tax such income.There are still no definite answers to these issues.1.1.5Security of i-banking transactions is one of the most important areas ofconcerns to theregulators. Security issues include questions of adoptinginternationally accepted state-of-the art minimum technology standards for accesscontrol, encryption / decryption (minimum key length etc), firewalls, verification of digitalsignature, Public KeyInfrastructure (PKI) etc. The regulator is equally concernedabout the security policyfor the banking industry, security awareness andeducation.1.1.6The supervisory and operational issues include risk control measures, advance

warningsystem, Information technology audit and re-engineering of operationalprocedures.The regulator would also be concerned with whether the nature ofproducts andservices offered are within the regulatory framework and whether thetransactions donot camouflage money-laundering operations.1.1.7The Central Bank may have its concern about the impact of Internet banking

on itsmonetary and credit policies. As long as Internet is used only as a medium for


4/77

delivery of banking services and facilitator of normal payment transactions,

perhaps, it may notimpact monetary policy. However, when it assumes a stage

where private sectorinitiative produces electronic substitution of money like e-

cheque, account based cardsand digital coins, its likely impact on monetary system

can not be overlooked. Evencountries where i-banking has been quite developed,its impact on monetary policy hasnot been significant. In India, such concern,

forthe present is not addressed as theInternet banking is still in its formative stage

1.1.8The world over, central bankers and regulators have been addressing

themselves tomeet the new challenges thrown open by this form of banking.

Several studies havepointed to the fact that the cost of delivery of banking service

through Internet isseveral times less than the traditional delivery methods. This

alone is enough reason forbanks to flock to Internet and to deliver more and more

of their services throughInternet and as soon as possible. Not adopting this new

technology in time has the risk of banks getting edged out of competition. In such a

scenario, the thrust of regulatorythinking has been to ensure that while the banks

remain efficient and cost effective, theymust be aware of the risks involved and

have proper built-in safeguards, machinery andsystems to manage the emerging

risks. It is not enough for banks to have systems inplace, but the systems must be

constantly upgraded to changing and well-testedtechnologies, which is a much

bigger challenge. The other aspect is to provideconducive regulatory environment

for orderly growth of such form of banking. CentralBanks of many countrieshave put in place broad regulatory framework for i-banking.

1.1.9In India, too i-banking has taken roots. A number of banks have set upbankingportals allowing their customers to access facilities like obtaining information,queryingon their accounts, etc. Soon, still higher level of online services will be madeavailable.Other banks will sooner than later, take to Internet banking. The Indianscenario isdiscussed in detail in Chapter-4 of this report.1.2 Constitution of the Working Group

1.2.1In the above background Reserve Bank of India constituted a WorkingGroup toexamine different issues relating to i-banking and recommend technology,security,legal standards and operational standards keeping in view the internationalbestpractices. The Group is headed by the Chief General ManagerinCharge oftheDepartment of Information Technology and comprised experts from the fieldsof banking regulation and supervision, commercial banking, law and technology. TheBankalso constituted an Operational Group under its Executive Director


5/77

comprisingofficers from different disciplines in the bank, who would guide implementation oftherecommendations. The composition of both the Groups is at Annexure-2andAnnexure-3.1.2.2 Terms of reference

The Working Group, as its terms of reference, was to examine different aspectsof Internet banking from regulatory and supervisory perspective and

recommendappropriate standards for adoption in India, particularly with referenceto thefollowing:1. Risks to the organization and banking system, associated with

Internet banking andmethods of adopting International best practices for managingsuch risks.2. Identifying gaps in supervisory and legal framework with reference to

the existingbanking and financial regulations, IT regulations, tax laws, depositorprotection,consumer protection, criminal laws, money laundering and other cross

border issuesand suggesting improvements in them.3. Identifying international bestpractices on operational and internal control issues, andsuggesting suitable ways

for adopting the same in India.4. Recommending minimum technology and securitystandards, in conformity withinternational standards and addressing issues like system

vulnerability, digitalsignature ,information system audit etc.5. Clearing and settlementarrangement for electronic banking and electronic moneytransfer; linkages

between i-banking and e-commerce6. Any other matter, which the Working Groupmay think as of relevance to Internetbanking in India.

1.3. Approach of the Group:

1.3.1The first meeting of the Working Group was held on July 19, 2000. It wasdecidedthat members of both Working Group and Operational Group wouldparticipate in allmeetings and deliberations. The Group, in its first meetingidentified the broadparameters within which it would focus its deliberations.1.3.2The Group agreed that Internet banking is a part of the electronic banking (e-banking), the main difference being that in i-banking the delivery channel wasInternet, apublic domain.Although the concerns of e-banking and i-banking havemany thingsin common, the fact that Internet is a public domain called for additionalsecurity

measures. It was agreed that the Group would primarily focus its attention on I -

banking and to the extent there were commonality between i-banking and e-

banking, its recommendation would also apply to e-banking.

1.3.3The Group further held that i-banking did not mean any basic change in thenature of banking and the associated risks and returns. All the same, being a public domainanda highly cost effective delivery channel, it does impact both the dimension andmagnitudeof traditional banking risks. In fact, it adds new kinds of risk to banking.Some ofthe concerns of the Regulatory Authority in i-banking relate totechnologystandards including the level of security and uncertainties of legal

jurisdiction etc. Itscost effective character provides opportunities for efficient


6/77

delivery of bankingservices and higher profitability and a threat to those whofail to harness it.1.3.4The Group decided to focus on above three major areas, where supervisoryattentionwas needed. Accordingly, three sub-groups were formed for looking intothreespecific areas: (i) technology and security aspects, (ii) legal aspects and(iii)regulatory and supervisory issues. The sub-groups could seek help of externalexpertsin the relevant fields, if needed.1.4 Layout of the Report:1.4.1.The views of the Group were crystallized after several rounds ofdeliberations of members of both the Working Group and the Operational Group.The reportsprepared by the three sub-groups were discussed and assimilated in tothis report.The report is presented in nine chapters. Chapter1, the introductorychapter, givesthe background leading to the formation of the Group, itscomposition, terms of reference and the approach adopted by the Group in

finalizing its recommendations.1.4.2.The basic structure of Internet and its characteristics are described inChapter2 inorder to explain the nature of concerns addressed in the chapters tofollow. Alsoexplained in the chapter is the growth of Internet banking and differentproducts anddifferent e-commerce concepts.1.4.3.Chapter3 describes International experience in i-banking, particularly withreferenceto USA, United Kingdom and other Scandinavian countries, who arepioneers in thisform of banking. Chapter- 4 looks at the Indian scenario as itprevails now.1.4.4.Chapter5 discusses different types of risks associated with banking ingeneral and i-banking in particular. Emphasis is given on normal risks associated withbankingwhich gets accentuated when the services are delivered through Internet.Risksrelating to money laundering and other cross border transactions arediscussed.1.4.5.Technology and security standards are core concerns for RegulatoryAuthorities inrelation to Internet banking. A separate sub-group looked in to theseissues, whichare discussed in detail in Chapter6. Emphasis is given on technologyand securitystandards and policy issues rather than on products and technical tools.1.4.6Another important regulatory concern is the legal environment in which i-

bankingtransactions are carried out. It is of importance to identify gaps in theexistingframework and to suggest changes required. The legal sub-group had madea detailedanalysis of legal questions involved, which are discussed in Chapter7.1.4.7Chapter8 deals with various control measures required to be adopted bybanks tomanage risks discussed in earlier chapters. Operational aspects likeinternal control,early detection system, IT audit, technical manpower, etc are alsodiscussed. Theimpact of i-banking on clearing and settlement arrangements has


7/77

also been addressed.The sub-group on Regulatory and Supervisory issues hadaddressed the abovequestions.1.4.8Chapter9 contains recommendations of the Working Group. Shri S. H.Bhojani haddisagreement with some of the observations / recommendations by theGroup and anote of dissent is appended as Annexure-1.1.5. Acknowledgement1.5.1The group wishes to acknowledge and put on record its appreciation ofsupportreceived from various quarters in completing the Report.1.5.2The Central Banks and Regulatory Authorities of different countries and theBank forInternational Settlement were approached for papers compiled by them onthe subjectand for details of regulations already in place. All relevant materials werereceivedfrom them promptly. The Group gratefully acknowledges their supportandcooperation.1.5.3Shri Girish Vaidya of Infosys technologies Ltd. had made an erudite

presentation onInternet Banking to the Group, which was very useful in finalizingthis report. TheGroup gratefully acknowledges his efforts.1.5.4Three sub-groups were formed to focus deliberations on three importantaspects ofInternet banking. These sub-groups utilized the expertise of professionals

/ bankers infinalizing their views. The convenors and members of sub-groupsworked mostdiligently to produce reports of very high quality. The Groupgratefully thanks themfor their efforts. The Group gratefully acknowledges thecontributions made byS/Shri G. Subba Rao, Head, Internal Audit , ABNAmro Bank, Shri P. C Narayan,Executive Vice President, Global Trust Bank andShri Sasidharan Menon , Head,Internal Audit , Deutsche Bank as members of sub-group on Regulatory andSupervisory Issues.1.5.5The Department of Banking Operations and Development provided secretarialserviceto the Working Group. The Group wishes to put on record its appreciationof effortsput in by the secretarial team consisting of DGMs (Shri SR. Das, ShriArnab Roy),AGM (Shri Indrajit Roy) and Managers (Shri Chetan N Balwir, Dr. TKKarthykeyan, Shri JP Bansal) in organizing the meetings, arranging thebackgroundpapers and drafting of the Report.1.5.6The Group wishes to place on record its appreciation of contributions madeby allmembers of the Operational Group who participated in the deliberations and

offeredtheir valuable suggestions and guidance.1.5.7The Member-secretary of the Working Group, Shri M. P. Kothari, workedwithutmost zeal in ensuring smooth conduct of the entire process right from theinceptionof the Working Group till the finalization of the Report. The Groupgratefullyacknowledges his efforts, but for which the Report would not have beencompleted


8/77

Chapter2Internet Banking - a new medium

2.1 Internetits basic structure and topology

2.1.1Internet is a vast network of individual computers and computer networksconnected toand communicate with each other using the same communicationprotocolTCP/IP(Transmission Control Protocol / Internet Protocol). When twoor more computers areconnected a network is created; connecting two or morenetworks create inter-network or Internet. The Internet, as commonly understood,is the largest example of such a system. Internet is often and aptly described asInformation Superhighway, ameans to reach innumerable potential destinations.

The destination can be any one of the connected networks and host computers.2.1.2Internet has evolved to its present state out of a US Department of DefenceprojectARPANet (Advanced Research Project Administration Network),

developed in the late1960s and early 1970s as an experiment in wide areanetworking. A major perceivedadvantage of ARPANet was that the network wouldcontinue to operate even if asegment of it is lost or destroyed since its operationdid not depend on operation of anysingle computer. Though originally designed asa defence network, over the years itwas used predominantly in areas of scientific researchand communication. By the1980s, it moved out of Pentagons control and moreindependent networks from USand outside got connected to it. In 1986, the USNational Science Foundation (NSF)established a national network based on ARPAprotocol using commercial telephonelines for connectivity. The NSFNet was accessible

by a much larger scientificcommunity, commercial networks and general users and thenumber of host computersgrew rapidly. Eventually, NSFNet became theframework of todays Internet.ARPANet was officially decommissioned in 1990.2.1.3It has become possible for innumerable computers operating ondifferent platformstocommunicate with each other over Internet because they adoptthe samecommunication protocol, viz, TCP/IP. The latter, which standsfor TransmissionControl Protocol / Internet Protocol, is a set of rules whichdefine how computerscommunicate with each other. In order to access Internet onemust have an account ina host computer, set up by any one of the ISPs (InternetService Providers). Theaccounts can be SLIP (Serial Line Internet Protocol) or

PPP (Point to Point Protocol)account. These accounts allow creating temporaryTCP/IP sessions with the host,thereby allowing the computer to join the Internetand directly establish communicationwith any other computer in the Internet.Through this type of connection, the clientcomputer does not merely act as aremote terminal of the host, but can run whateverprograms are available on theweb. It can also run several programs simultaneously,subject to limitations ofspeed and memory of the client computer and modem. TCP/IPprotocol uses a


9/77

unique addressing scheme through which each computer on thenetwork isidentified.2.1.4TCP / IP protocol is insecure because data packets flowing through TCP / IPnetworksare not normally encrypted. Thus, any one who interrupts communicationbetween twomachines will have a clear view of the data, passwords and the like. This hasbeenaddressed through Secured Socket Layer(SSL), a Transport Layer Security(TLS)system which involves an encrypted session between the client browser andthe webserver.2.1.5FTP or File Transfer Protocol is a mechanism for transferring files betweencomputerson the Internet. It is possible to transfer a file to and from a computer(ftp site) withouthaving an account in that machine. Any organization intending tomake available topublic its documents would normally set up a ftp site from whichany one can accessthe documents for download. Certain ftp sites are available tovalidated users with anaccount ID and password.

2.1.6e-mail:The most common and basic use of Internet is the exchange of e-mail(electronic mail). It is an extremely powerful and revolutionary result ofInternet, whichhas facilitated almost instantaneous communication with people inany part of theglobe. With enhancements like attachment of documents, audio,video and voice mail,this segment of Internet is fast expanding as the most usedcommunication medium forthe whole world. Many websites offer e-mail as a free facilityto individuals. Manycorporates have interfaced their private networks with Internet inorder to make their e-mail accessible from outside their corporate network.2.1.7World Wide Web (WWW)2.1.7.1Internet encompasses any electronic communication between computersusingTCP/IP protocol, such as e-mail, file transfers etc. WWW is a segment ofInternet,which uses Hyper Text Markup Language (HTML) to link together filescontainingtext, rich text, sound, graphics, video etc. and offers a very convenientmeans of navigating through the net. It uses hypertext transfer protocol (HTTP)forcommunication between computers. Web documents, which are referred to aspages,can contain links to other related documents and so on, in a tree likestructure. Theperson browsing one document can access any other linked page.The web documentsand the web browsers which are the application programs toaccess them, are designedto be platform independent. Thus any web document can

be accessed irrespective of theplatform of the computer accessing the documentand that of the host computer. Theprogramming capabilities and platform independence ofJava and Java applets havefurther enriched the web. The point and click method of browsing

is extremely simplefor any lay user of the net. In fact, the introduction of web sinceearly 1990 has madeInternet an extremely popular medium and its use in business has beenenhanceddramatically.


10/77

2.1.7.2The next in the HTML genre is the Extensible Markup Language (XML),whichallows automated two-way information flow between data stores andbrowser screens.XML documents provide both the raw content of data and the datastructure and isprojected by its proponents as taking the web technologybeyond the limits of HTML.2.1.8Wireless Application Protocol (WAP):

WAP is the latest industry standard which provides wireless access to Internetthroughhandheld devices like a cellular telephone. This is an open standard

promoted by WAPforum and has been adopted by worlds all major handsetmanufacturers. WAP issupplemented by Wireless Application Environment (WAE), whichprovides industrywise standard for developing applications and services for wireless

communicationnetworks. This is based on WWW technology and provides forapplication for smallscreens, with interactive capabilities and

adequate security. Wireless TransactionProtocol (WTP), which is the equivalent of

TCP, sets the communication rules andWireless Transport Layer Security (WTLS)provides the required security byencrypting all the session data. WAP is set to

revolutionize the commercial use of net.

2.1.9Security:One of the biggest attractions of Internet as an electronic medium isits openness andfreedom. It is a public domain and there is no restriction on whocan use it as long asone adheres to its technical parameters. This has also given riseto concerns over thesecurity of data and information transfer and privacy. Theseconcerns are common toany network including closed user group networks. Butover the Internet, thedimensions of risk are larger while the control measures arerelatively fewer. Theseissues are discussed in detail in Chapter5 and Chapter6 ofthe report. It will besufficient to say here that the key components of such concernare, (i) authentication,viz., assurance of identity of the person in a deal, (ii)authorization, viz., a party doing atransaction is authorized to do so, (iii) theprivacy or confidentiality of data,information relating to any deal, (iv) dataintegrity, viz., assurance that the data has notbeen altered and (v) non repudiation,viz., a party to the deal can not deny that itoriginated the communication or data.2.2 E-Commerce2.2.1Even though started as network primarily for use by researchers in defence

andscientific community, with the introduction of WWW in early 1990s, use ofInternet forcommerce has grown tremendously. E-commerce involves individuals andbusinessorganizations exchanging business information and instructions overelectronic mediausing computers, telephones and other telecommunicationequipments. Such form of doing business has been in existence ever sinceelectronic mode of data / informationexchange was developed, but its scope waslimited only as a medium of exchange of information between entities with a pre-


11/77

established contractual relationship. However,Internet has changed the approach toe-commerce; it is no longer the same businesswith an additional channel forinformation exchange, but one with new strategy andmodels.2.2.2A business model generally focuses on (i) where the business operates, that is,themarket, the competitors and the customers, (ii) what it sells, that is, its productsandservices (iii) the channels of distribution, that is, the medium for sale anddistribution of its products and (iv) the sources of revenue and expenditure andhow these areaffected. Internet has influenced all the four components of businessmodel and thus hascome to influence the business strategy in a profound way. Thesize of the market hasgrown enormously as technically, one can access theproducts and services from anypart of the world. So does the potentialcompetition. The methods of reaching out tocustomers, receiving the response andoffering services have a new, simpler andefficient alternative, now, that is,Internet. The cost of advertisement, offer and deliveryof services through Internet

has reduced considerably, forcing most companies torework their strategies toremain in competition.2.2.3A research note by Paul Timmers of European commission had identified elevenbusinessmodels, which have been commercially implemented. These are e-shop, e-procurement, e-auction, e-mall, Third-party market place, Virtual communities, Valuechain serviceproviders, Value chain integrators, Collaboration platforms andInformationbrokers. He classified business models along two dimensions,i.e, degree of innovation and extent of integration of functions. The innovationranged from theelectronic version of a traditional way of doing business (e-shop)to more innovativeways by offering functions that did not exist before. The seconddimension, i.e, extentof integration ranges from a single function business model (like e-shop) to fullyintegrated functionality (value chain integrator). In the top end of thegraph are models,which cannot be implemented in a traditional way and are criticallydependent uponinformation technology and creating value from information flow. Businessmodels, inbetween these two limits are a combination of both dimensions indifferent degrees andhave some degree of analogy in traditional firms.2.2.4There are two types of e-commerce ventures in operation: the old brick andmortarcompanies, who have adopted electronic medium, particularly Internet, toenhancetheir existing products and services, and / or to offer new products and

services andthe pure e-ventures who have no visible physical presence. This difference haswiderramifications than mere visibility when it comes to issues like customers trust,brandequity, ability to service the customers, adopting new business culture andcost.These aspects of e-commerce will be touched upon in the followingdiscussions.


12/77

2.2.5Another wayof classifying the e-commerce is by the targeted counterpart of abusiness,viz, whether the counterpart is a final consumer or another business in thedistributionchain. Accordingly, the two broad categories are: Business-to-

Consumer (B2C) andBusiness-to-Business (B2B)

2.2.6

Business-to-Consumers (B2C

2.2.6.1In the B2C category are included single e-shops, shopping malls, e-broking,e-auction, e-banking, service providers like travel related services, financialservices etc.,education, entertainment and any other form of business targeted atthe final consumer.Some of the features, opportunities and concerns common tothis category of businessirrespective of the business segment, are the following.2.2.6.2Opportunities:2.2.6.2.1Internet provides an ever-growing market both in terms of number ofpotentialcustomers and geographical reach. Technological development has madeaccess toInternet both cheaper and faster. More and more people across the globe

are accessingthe net either through PCs or other devices. The purchasing powerand need for qualityservice of this segment of consumers are considerable.Anybody accessing Internet is apotential customer irrespective of his or herlocation. Thus, any business targeting finalconsumers cannot ignore the businesspotential of Internet.2.2.6.2.2Internet offers a unique opportunity to register business presence in aglobal market.Its effectiveness in disseminating information about ones business at arelatively costeffective manner is tremendous. Time sensitive information can beupdated faster thanany other media. A properly designed website can convey

a more accurate and focussedimage of a product or service than any other media.Use of multimedia capabilities, i.e.,sound, picture, movies etc., has made Internetas an ideal medium for informationdissemination. However, help of other media isnecessary to draw the potentialcustomers to the web site.2.2.6.2.3The quality of service is a key feature of any e-commerce venture. The ability tosellones product at anytime and anywhere to the satisfaction of customers isessential fore-business to succeed. Internet offers such opportunity, since thebusiness presence isnot restricted by time zone and geographicallimitations. Replying to customersqueries through e-mail, setting up (FrequentlyAsked Questions) FAQ pages foranticipated queries, offering interactive help line,

accepting customers complaintsonline 24 hours a day and attending to the same,etc. are some of the features of e-business which enhance the quality of service tothe customers. It is of crucialimportance for an e-venture to realize that just as it iseasier to approach a customerthrough Internet, it is equally easy to lose him. Thecustomer has the same facility tomove over to another site.


13/77

2.2.6.2.4Cost is an important issue in an e-venture. It is generally accepted that thecost of overhead, servicing and distribution, etc. through Internet is less comparedto thetraditional way of doing business. Although the magnitude of differencevariesdepending on the type of business and the estimates made, but there isunanimity thatInternet provides a substantial cost advantage and this, in fact, is oneof the majordriving forces for more number of traditional business adopting to e-commerce andpure e-commerce firms to sprout.2.2.6.2.5Cost of communication through WWW is the least compared to any othermedium.Many a time ones presence in the web may bring in international enquiries, whichthebusiness might not have targeted. The business should have proper plans toaddresssuch opportunities.2.2.6.3Concerns:2.2.6.3.1There are a number of obstacles, which an e-commerce venture needs toovercome.Trust of customers in a web venture is an important concern. Many

customers hesitateto deal with a web venture as they are not sure of the type ofproducts and servicesthey will receive. This is particularly true in a B2C venture like e-shop,e-mall or e-auction site. Traditional business with well established brands and goodwill andhavinga physical presence face less resistance from customers in this regard than apure e-venture.2.2.6.3.2Many B2C ventures have ultimately to deliver a product or service inphysical formto the customer for a deal contracted through Internet. This needsproper logistics, anefficient distribution network, and control over quality ofproduct or service delivered.These issues are not technology related and any let offin this area can drive thecustomer away to the competitor or from e-commerce.2.2.6.3.3The privacy of information on the customers preferences, credit card andbankaccount details etc. and customers faith in a system where such privacy isstated to beensured are important issues to be addressed. These are mainlytechnological issues, buthuman factor is important both at the business and at thecustomers end and also inbuilding the trust in the system.2.2.6.3.4Security of a transaction, authenticity of a deal, identification of acustomer etc. areimportant technological and systems issues, which are majorsources of concern to e-commerce. Equally important are questions of repudiationof a deal, applicability of law, jurisdiction of tax laws etc. These are important to

all forms of e-commerce,whether B2C or B2B and all segments of business, i.e,manufacturing, services andfinance and are addressed in different chapters of thisreport.2.2.6.3.5Accessibility to Internet by the consumers is an important issue in B2C domain.Thisis particularly so in countries like India where penetration of PCs and otherdevicesto households for access to Internet is minimal. Also important are availabilityofbandwidth and other infrastructure for faster and easier access. Considering that e-


14/77

commerce aims at global market, deficiencies of these kinds in the developing world arenolonger concerns confined to these areas, but are global e-commerce concerns.2.2.7Business to Business (B2B)2.2.7.1As opposed to B2C e-commerce, in B2B domain, the parties to a deal are atdifferentpoints of the product supply chain. Typically, in a B2B type domain, acompany, itssuppliers, dealers and bankers to all the parties are networked tofinalize and settle allaspects of a deal, online. Perhaps, only the goods in differentstages of processingphysically move from the supplier to the dealer. This scenariocan be extended toinclude the shipper, providers of different ancillary services, ITservice provider and the payment system gateway, etc., depending on the degree ofsophistication of the available systems.2.2.7.2Another important feature of a B2B domain, as distinct from B2C, is thatbusiness information / data is integrated to the back office systems of parties to adeal and the state of straight through processing (STP) or near STP is achieved.

This is a very significant aspect of B2B model of e-commerce, which results inimproved profits through lowering cost and reducing inventories.2.2.7.3For example, in a B2B environment, typically, the back office system of a companycontrols inventory requirement with reference to the order book position updatedregularly on the basis of orders received from dealers through Internet. At theoptimum level of inventory it raises a purchase order with the supplier, whosesystem in turnprocesses the order and confirms supply. Buyer companys systemissues debitinstructions on its bank account for payment to the supplier. The

buyers bank creditssellers bank with the cost of sale though a payment gateway

or through RTGS system.Similar series of transaction processes are also initiatedbetween the company and itsdealers and their respective banks. Once e-commercerelationship is establishedbetween the firms, the transactions of the type shownabove can be processed withminimal human intervention and on 24 hours a day and 7 daya week basis.2.2.7.4New business models are emerging in B2B domain. There are portals which offerameeting ground to buyers and sellers of different products in supply chain, morelike abuyer-seller meet in international business. This has enabled relativelysmallercompanies to enter the global market. Banks in the portal offer financialservices fordeals settled through the portal.

2.2.7.5Technology and networking are important constituents of a B2B type ofbusinessdomain. Earlier, only large firms could have access to such technology andthey usedprivate networks with interface to each other for information flow andtransactionprocessing. A major concern used to be compatibility of EDI platformsacross differentB2B partners. Internet with WWW and other standard technologyhave offeredopportunity to relatively smaller and medium sized firms to integrate


15/77

their operations inB2B model and take advantage of the benefits it offers. It hasalso led tostandardization of software platforms.2.2.7.6Other new forms of business models in B2B domain are Application ServiceProviders(ASP) and Service Integrators. ASPs offer application software online to e-commerce companies who pay for the same according to the use without owningit.Often entire back office processing is taken care of by ASPs and otherserviceintegrators. However, the utility of such service providers will to a largeextent dependon the business strategy of the e-venture.2.2.7.7The concerns of B2B e-commerce are similar to those of B2C, discussedearlier. Thesecurity issues are more pronounced because of high value transferstaking placethrough the net. So also are the issues relating to privacy ofinformation, law, taxrepudiation etc. The other issues of importance to a B2B firmare the choice of appropriate technology, the issue of build or outsource,maintenance and training ofpersonnel, etc., since they involve large investments

and are critical to success.2.2.7.8Several studies have attempted to assess the relative importance of B2B andB2Cbusiness domains. There is wide difference in estimates of volume of businesstransactedover Internet and its components under B2C and B2B. However, moststudies agreethat volume of transactions in B2B domain far exceeds that in B2C. Thisisexpected result. There is also a growing opinion that the future of e-business liesinB2B domain, as compared to B2C. This has several reasons some of whicharealready discussed earlier, like low penetration of PCs to households, lowbandwidthavailability etc., in a large part of the world. The success of B2Cventures depends toa large extent on the shopping habits of people in differentparts of the world. Asurvey sponsored jointly by Confederation of IndianIndustries and InfrastructureLeasing and Financial Services on e-commerce in India in1999 made the followingobservations. 62% of PC owners and 75% of PC non-ownersbut who have access toInternet would not buy through the net, as they were notsure of the product offered.The same study estimated the size of B2B business inIndia by the year 2001 to bevarying between Rs. 250 billion to Rs. 500 billion. In arecent study done by ArthurAnderson, it has been estimated that 84% of total e-business revenue is generatedfrom B2B segment and the growth prospects in thissegment are substantial. It hasestimated the revenues to be anywhere between US $

2.7 trillion to over US $ 7trillion within the next three years (2003).2.3The Growth of Internet Banking and common products:2.3.1Internet Banking (Fig. 1) is a product of e-commerce in the field of bankingandfinancial services. In what can be described as B2C domain for banking industry,InternetBanking offers different online services like balance enquiry, requests forchequebooks, recording stop-payment instructions, balance transfer instructions,accountopening and other forms of traditional banking services. Mostly, these


16/77

aretraditional services offered through Internet as a new delivery channel. Banksare alsooffering payment services on behalf of their customers who shopin different e-shops, e-malls etc. Further, different banks have different levels of suchservices offered, startingfrom level-1 where only information is disseminated throughInternet to level-3 whereonline transactions are put through. These aspects havebeen dealt with in brief in theintroductory chapter and again detailed products andservices are discussed in chapters3 and 4. Hence, in the following paragraphs I-banking concerns in B2B domain arediscussed.2.3.2Considering the volume of business e-commerce, particularly in B2B domain, hasbeengenerating, it is natural that banking would position itself in an intermediary role insettlingthe transactions and offering other trade related services. This is true both inrespectof B2C and B2B domains. Besides, the traditional role of financialintermediaryand settlement agents, banks have also exploited new opportunitiesoffered by Internetin the fields of integrated service providers, payment gateway

services, etc. However,the process is still evolving and banks are repositioningthemselves based on newemerging e-commerce business models.2.3.3In B2B scenario, a new form of e-commerce market place is emerging wherevariousplayers in the production and distribution chain are positioning themselvesand areachieving a kind of integration in business information flow and processing(STP ornear STP) leading to efficiencies in the entire supply chain and across industries.Banksare positioning themselves in such a market in order to be a part of thefinancialsettlements arising out of transactions of this market and providingwholesale financialservices. This needs integration of business information flownot only across the playersin the supply chain, but with the banks as well.2.3.4With the integration of business information flow and higher degree

of transparency, thebanks and other financial services institutions have lost someof the informationadvantage they used to enjoy and factor in to pricing of theirproducts. However, suchinstitutions have the advantage of long standingrelationships, goodwill and brand,which are important sources of assurance in avirtual market. Banks are in fact,converting this goodwill into a businesscomponent in e-commerce scenario inproviding settlement and other financialservices. Some banks have also moved toproviding digital certificates fortransactions through e-markets.

2.3.5Banks strategies in B2B market are responses to different business modelsemerging ine-commerce. A recent study by Arthur Andersen shows that banks andfinancial serviceinstitutions generally adopt one of three business models torespond to e-businesschallenges. In the first place, they treat it as an extension ofexisting business withoutany significant changes other than procedural and whattechnology demands. Thesecond strategy takes the same approach as the first butintroduces structural changesto the underlying business. In the third approach


17/77

banks launch e-business platform as adifferent business from the existing corebusiness and as a different brand of product.There is no definite answer as to whichapproach is appropriate. Perhaps it depends onthe type of market the bank isoperating, its existing competencies and the legal andregulatory environment. It is,however, sure that e-banking is evolving beyond thetraditional limits of banking andmany new products / services are likely to emerge as e-commerce matures.

Chapter-3 - International experience3.1Internet banking has presented regulators and supervisors worldwide withnewchallenges. The Internet, by its very nature, reaches across borders and is, for

thisreason, engaging the attention of regulatory and supervisory authorities all overtheworld. The experience of various countries, as far as Internet banking isconcerned, isoutlined in this chapter.3.2 U.S.A.3.2.1In the USA, the number of thrift institutions and commercial banks withtransactionalweb-sites is 1275 or 12% of all banks and thrifts.Approximately 78% of allcommercial banks with more than $5 billion in assets, 43% ofbanks with $500 millionto $5 billion in assets, and 10% of banks under $ 500 million in assetshavetransactional web-sites. Of the 1275-thrifts/commercial banks

offering transactionalInternet banking, 7 could be considered virtual banks. 10traditional banks haveestablished Internet branches or divisions that operate undera unique brand name.Several new business process and technological advancessuch as Electronic BillPresentment and Payment (EBPP), handheld access devicessuch as Personal DigitalAssistants (PDAs), Internet Telephone and WirelessCommunication channels andphones are emerging in the US market. A few bankshave become Internet ServiceProviders (ISPs), and banks may become Internetportal sites and online serviceproviders in the near future. Reliance on third partyvendors is a common feature of electronic banking ventures of all sizes anddegrees of sophistication in the US.Currently, payments made over the Internet are

almost exclusively conducted throughexisting payment instruments andnetworks. For retail e-commerce in the US, mostpayments made over the Internetare currently completed with credit cards and arecleared and settled throughexisting credit card clearing and settlement systems.Efforts are under way to makeit easier to use debit cards, cheques and the AutomatedClearing House (ACH) tomake payments over the Internet. Versions of e-money,smart cards, e-cheques and


18/77

other innovations are being experimented with to supportretail payments over theInternet.3.2.2There is a matrix of legislation and regulations within the US that specifically

codifiesthe use of and rights associated with the Internet and e-commerce ingeneral, andelectronic banking and Internet banking activities in particular. Federal

and state laws,regulations, and court decisions, and self-regulation amongindustries groups providethe legal and operational framework for Internet

commerce and banking in the USA.The international model laws promulgated bythe United Nations Commission onInternational Trade Law (UNCITRAL) provide

the guidance to the member nations onthe necessity for revising existing legalstructures to accommodate electronictransactions. Some important laws of generalapplication to commercial activity overthe Internet within the US are the UniformCommercial Code (UCC), the UniformElectronic Transaction Act (UETA) (whichprovides that electronic documents andcontracts should not be disqualified as legal

documents particularly because of theirelectronic form), various state laws andregulations on digital signatures and nationalencryption standards and exportregulations. Many states already have digital signatureand other legislation

to enable e-commerce. State laws in this area differ but the trendis towards creatinglegislation, which is technology neutral. The E-sign Act, a new USlaw that tookeffect on October 1, 2000, validates contracts concluded by electronicsignatures

and equates them to those signed with ink on paper. Under the Act,electronicsignatures using touch-tones (on a telephone), retinal scans and voicerecognition

are also acceptable ways of entering into agreements. The E-sign Act takesatechnological neutral approach and does not favor the use of any

particulartechnology to validate an electronic document. The Act however does notaddressissues relating to which US states laws would govern an online transaction

and whichstates code would have jurisdiction over a dispute.3.2.3The Gramm - LeachBliley (GLB) Act has substantially eased restrictions on theabilityof banks to provide other financial services. It has established new rules fortheprotection of consumer financial information. The Inter-agency Statement onElectronic Financial Services and Consumer Compliance (July 1998)addressesconsumer protection laws and describe how they can be met in the contextof electronicdelivery. In addition, the Federal Reserve Board has issued a request

for comment onrevised proposals that would permit electronic delivery of federallymandateddisclosures under the five consumer protection regulations of the FRB(Regulations B,DD, E, M & Z).3.2.4The Interpretive Ruling of the Office of the Comptroller of Currency (OCC)authorizesa national bank to perform, provide or deliver through electronic means

and facilitiesany activity, functions, product or service that it is otherwiseauthorized to perform,provide or deliver. The concerns of the Federal Reserve are


19/77

limited to ensuring thatInternet banking and other electronic banking services areimplemented with properattention to security, the safety and soundness of the

bank, and the protection of thebanks customers. Currently, all banks, whether theyare Internetonly or traditionalbanks must apply for a charter according toexisting guidelines. The five federalagencies - Federal Deposit InsuranceCorporation (FDIC), Federal Reserve System(FRS), Office of the Comptroller ofCurrency (OCC), Office of Thrift Supervision(OTS) and the National Credit UnionAssociation (NCUA) supervise more than 20,000institutions. In addition, eachstate has a supervisory agency for the banks that itcharters. Most financialinstitutions in the US face no prerequisite conditions ornotification requirementsfor an existing banking institution to begin electronic bankingactivities. For thesebanks, supervisors gather information on electronic banking duringroutine annualexamination. Newly chartered Internet banks are subject to the standardcharteringprocedures. For thrift institutions, however, OTS has instituted a 30-dayadvance

notification requirement for thrift institutions that plan to establishatransactional web site. A few State banking departments have instituteda similarnotification requirement for transactional Internet banking web sites.3.2.5Supervisory policy, licensing, legal requirements and consumer protection aregenerallysimilar for electronic banking and traditional banking activities. Internetbanks are alsosubject to the same rules, regulations and policy statement astraditional banks.However, in response to the risks posed by electronic banking,federal banking agencieshave begun to issue supervisory guidelines andexamination procedures for examinerswho review and inspect electronicbanking applications. Although specialized bankingprocedures are used in some areas ofInternet banking activities, the existinginformation technology examinationframework that addresses access controls,information security, business recoveryand other risk areas generally continues to beapplicable. To assist supervisors in monitoring the expansion of Internet banking,

statechartered and national banks have been required since June 1999 to reporttheirwebsites Uniform Resource Locators (URL) in the Quarterly Reports of

FinancialCondition that are submitted to supervisors. In addition, examiners reviewthe potentialfor reputational risk associated with web-site information or activities,

the potentialimpact of various Internet strategies on an institutions financial

condition, and the needto monitor and manage outsourcing relationships. Toaddress these risks, the OCC isdeveloping specific guidance for establishing Internet only

banks within the US. TheBanking Industry Technology Secretariat recentlyannounced the formation of asecurity lab to test and validate the security of

software and hardware used by bankingorganizations. If a bank is relying on athird party provider, it is accepted that it shouldbe able to understand the provided

information security programme to effectivelyevaluate the security systems


20/77

ability to protect bank and customer data. Examinationof service providersoperations, where necessary, is conducted by one or more Federalbanking agencies

pursuant to the Bank Services Company Act, solely to supportsupervisionof banking organizations.

3.2.6The Federal Financial Institutions Examination Council (FFIEC) introducedtheInformation Systems (IS) rating system to be used by federal and stateregulators toassess uniformly financial and service provider risks introduced byinformationtechnology and to identify those institutions and service providersrequiring specialsupervisor attention. The FFIEC has recently renamed the systemas Uniform RatingSystem for IT (URSIT), which has enhanced the auditfunction. The importance of risk management procedure has been reinforced underthe revised system.3.2.7Some characteristics of e-money products such as their relative lack ofphysical bulk,their potential anonymity and the possibility of effecting fast and remote

transfers makethem more susceptible than traditional systems to money launderingactivities. TheOCC guidelines lay downan effective knowyour customer policy. Federalfinancialinstitutions, regulators, Society for Worldwide Interbank FinancialTelecommunications(SWIFT) and Clearing House Interbank Payment System(CHIPS) have issuedstatements encouraging participants to include information onoriginators and beneficiaries.3.3 U.K.3.3.1Most banks in U.K. are offering transactional services through a wider rangeof channels including Wireless Application Protocol (WAP), mobile phone andT.V. Anumber of non-banks have approached the Financial Services Authority(FSA) aboutcharters for virtual banks or clicks and mortar operations. There is amove towardsbanks establishing portals.3.3.2The Financial Services Authority (FSA) is neutral on regulations of electronicbanks.The current legislation, viz. the Banking Act 1987 and the BuildingSocieties Act,provides it with the necessary powers and the current range ofsupervisory tools. Anew legislation, the Financial Services and Market Bill, offers asignificant addition inthe form of an objective requiring the FSA to promote publicunderstanding of thefinancial system. There is, therefore, no special regime for electronicbanks. A draftElectronic Banking Guidance for supervisors has, however, been

developed. A guideto Bank Policy has also been published by the FSA which is technologyneutral, butspecifically covers outsourcing and fraud. The FSA also maintainsbilateral discussionswith other national supervisors and monitors developments in theEuropean Union(EU) including discussions by the Banking Advisory Committee and GroupdeContract. New legislation on money laundering has been proposed and both theBritishBankers Association and the FSA have issued guidance papers inthis regard.


21/77

3.3.3The FSA is actively involved in the Basle Committee e-banking group whichhasidentified authorization, prudential standards, transparency, privacy, moneylaunderingand cross border provision as issues where there is need for furtherwork. The FSA hasalso been supporting the efforts of the G7 Financial Stability Forum,which is exploringcommon standards for financial market, which is particularlyrelevant to the Internet,which reaches across all borders.3.3.4The Financial Services and Markets Bill will replace current powers under the1987Banking Act giving the FSA statutory authority for consumer protection andpromotionof consumer awareness. Consumer compliance is required to be ensuredvia desk basedand on site supervision. The FSA has an Authorization andEnforcement Division,which sees if web sites referred to them are in violation ofU.K. laws.3.3.5The FSA has issued guidelines on advertising in U.K. by banks for deposits.

investments and other securities, which apply to Internet banking also. The

guidelinesinclude an Appendix on Internet banking. The FSAs supervisory policy andpowers inrelation to breaches in the advertising code (viz. invitation by any

authorized person totake a deposit within U.K., fraudulent inducements to make adeposit, illegal use of banking names and descriptions, etc.) are the same for

Internet banking as they are forconventional banking. The FSA does not regard abank authorized overseas, which istargeting potential depositors in its home marketor in third countries as falling withinU.K. regulatory requirements solely by reason

of its web site being accessible toInternet users within the U.K., as theadvertisements are not aimed at potential U.K.depositors.

3.4 Scandinavia3.4.1Swedish and Finnish markets lead the world in terms of Internet penetrationand therange and quality of their online services. Merita Nordbanken (MRB) (now

NordicBank Holding, a merger between Finlands Merita and Nordbanker ofSweden) leads inlog-ins per month with 1.2 million Internet customers, and itspenetration rate inFinland (around 45%) is among the highest in the world for abankof brickandmortar origin. Standinaviska Easkilda Banken (SEB) was Swedens first Internetbank, having gone on-line in December 1996. It has 1,000 corporate clientsfor itsTrading Stationan Internet based trading mechanism for forex dealing,

stock-indexfutures and Swedish treasury bills and government bonds. Swedbank, isanother large-sized Internet bank. Almost all of the approximately 150 banksoperating in Norwayhad established net banks. In Denmark, the Internet bankingservice of Den Danskeoffers funds transfers, bill payments, etc.3.4.2The basic on-line activity is paying bills. Swedbank was the first bank in the worldtointroduce Electronic Bill Presentment and Payment (EBPP) and now handles 2millionbill payment a month. E-shopping is another major Internet banking


22/77

service. MNB hasan on-line mall of, more than 900 shops, which accepts itsSolo payment system.Swedbank has a similar systemcalled Direct. Besidesusing advanced encryptiontechnology, the Scandenavian banks have adopted a basic

but effective system knownas challenge response logic, which involves a list of

code numbers sent to everyonline client and used in sequence, in combination withtheir password or PIN. Thisgives each transaction a unique code, and has so farproved safe. Some banks use evenmore sophisticated versions of thesame technique. It is not a common practice to usethird party vendors for services.3.4.3In Sweden, no formal guidance has been given to examiners by theSverigesbank on e-banking. General guidelines apply equally to Internet bankingactivities. Contractualregularization between customers and the bank is a concernfor regulators and is beinglooked into by the authorities.3.4.4The role of the Bank of Finland (Suomen Parkki) has been, as part of generaloversightof financial markets in Finland, mainly to monitor the ongoing development of

Internetbanking without active participation. Numerous issues concerning Internetbankinghave, however, been examined by the Bank of Finland.3.4.5All Internet banking operating from a Norwegian platform are subject to allregularbanking regulations, just as any other bank. As part of the standardregulation, there isalso a specific regulation on the banks use of IT. Thisregulation dates from 1992when Internet banking was not the main issue, but itcovers all IT systems, includingInternet banking. The regulation secures that

banks purchase, development, use andphase out of IT systems is conducted in asafe and controlled manner. An Act relatingto Payment systems defines paymentsystems as those which are based on standardizedterms for transfer of funds fromor between customer accounts in banks/financialundertakings when the transfer isbased on use of payment cards, numeric codes or anyother form of independentuser identification. Internet banking is covered by thisregulation. TheBanking, Insurance and Securities Commission may order forimplementation ofmeasures to remedy the situation if there is a violation of provisions.3.4.6In addition to their national laws, countries in Europe are also expected toimplementEuropean Union (EU) directives. In 1995, the EU passed a Europe-wideDataProtection Directive aimed at granting individuals greater protection fromabuses of their personal information. It also passed the Telecommunications

Directive thatprescribes special protection in relation to telephones, digital TVs,mobilecommunications, etc. Every EU country is to have a privacy commissionerto enforcethe regulations as they apply within the EU. The EU directive onelectronic signature isalso required to be implemented in national laws.


23/77

3.5 Other Countries3.5.1 Australia:3.5.1.1Internet Banking in Australia is offered in two forms: web-based andthrough theprovision of proprietary software. Initial web-based productshave focused on personalbanking whereas the provision of proprietary softwarehas been targeted at thebusiness/corporate sector. Most Australian-owned banksand some foreign subsidiariesof banks have transactional or interactive web-sites. Online banking services rangefrom FIs websites providing information onfinancial products to enablingaccountmanagement and financial transactions. Customer services offered online includeaccount monitoring (electronic statements, real-time account balances),accountmanagement (bill payments, funds transfers, applying for products on-line) andfinancialtransactions (securities trading, foreign currency transactions). Electronic BillPresentment and Payment (EBPP) is at an early stage. Features offered in

proprietarysoftware products (enabling business and corporation customers toconnect to thefinancial institutions (via dial-up/leased line/extranet) includeaccount reporting,improved reconciliation, direct payments, payroll functionality and fundstransferbetween accounts held at their own or other banks. Apart from closedpaymentsystems (involving a single payment-provider), Internet banking and e-commercetransactions in Australia are conducted using long-standing paymentinstruments andare cleared and settled through existing clearing and settlementsystem. Banks rely onthird party vendors or are involved with outside providers fora range of products andservices including e-banking. Generally, there are novirtual banks licensed to operatein Australia.3.5.1.2The Electronic Transactions Act, 1999 provides certainty about the legalstatus of electronic transactions and allows for Australians to use the Internet toprovideCommonwealth Departments and agencies with documents which have thesamelegalstatus as traditional paperwork. The Australian Securities and InvestmentsCommission (ASIC) is the Australian regulator with responsibility forconsumer aspectsof banking, insurance and superannuation and as such, it isresponsible for developingpolicy on consumer protection issues relating to theInternet and e-commerce. ASICcurrently has a draft proposal to expand the

existing Electronic Funds Transfer Code of Conduct (a voluntary code that dealswith transactions initiated using a card and a PIN)to cover all forms of consumertechnologies, including stored value cards and othernew electronic paymentproducts. Australias anti-money laundering regulator is theAustralian TransactionReports and Analysis Centre (AUSTRAC).3.5.1.3Responsibility for prudential supervisory matters lies with the AustralianPrudentialRegulation Authority (APRA). APRA does not have any Internet


24/77

specific legislation,regulations or policy, and banks are expected to comply withthe established legislationand prudential standards. APRAs approach to thesupervision of e-commerceactivities, like the products and services themselves, isat an early stage and is stillevolving. APRAs approach is to visit institutionsto discuss their Internet bankinginitiatives. However, APRA is undertaking a survey of e-commerce activities of allregulated financial institutions. The growing reliance onthird party or outside providersof e-banking is an area on which APRA is increasinglyfocusing.3.5.2New Zealand:3.5.2.1Major banks offer Internet banking service to customers, operate as adivision of thebank rather than as a separate legal entity.3.5.2.2Reserve Bank of New Zealand applies the same approach to the regulationof bothInternet banking activities and traditional banking activities. There arehowever,banking supervision regulations that apply only to Internet

banking. Supervision isbased on public disclosure of information rather thanapplication of detailed prudentialrules. These disclosure rules apply to Internetbanking activity also.3.5.3Singapore:3.5.3.1The Monetary Authority of Singapore (MAS) has reviewed its currentframework forlicensing, and for prudential regulation and supervision of banks,to ensure its relevancein the light of developments in Internet banking, either as an additionalchannel or in theform of a specialized division, or as stand-alone entities (InternetOnly Banks), ownedeither by existing banks or by new players entering the bankingindustry. The existingpolicy of MAS already allows all banks licensed in Singapore touse the Internet toprovide banking services. MAS is subjecting Internet banking,including IOBs, to thesame prudential standards as traditional banking. It will begranting new licences tobanking groups incorporated in Singapore to set up banksubsidiaries if they wish topursue new business models and give them flexibility to decide whether to engage inInternet

banking through a subsidiary or within the bank (where no additional licenceisrequired). MAS also will be admitting branches of foreign incorporated IOBs

within theexisting framework of admission of foreign banks.3.5.3.2As certain types of risk are accentuated in Internet banking, a riskbased

supervisoryapproach, tailored to individual banks circumstances and strategies, isconsidered moreappropriate by MAS than one-size-fits-all regulation. MAS requires publicdisclosures of such undertakings, as part of itsrequirement for all banks and enhancedisclosure of their risk managementsystems. It is issuing a consultative document onInternet banking security andtechnology risk management. In their risk managementinitiatives for Internetbanking relating to security and technology related risks, banksshould (a)


25/77

implement appropriate workflow, authenticated process and controlproceduressurrounding physical and system access (b) develop, test, implement andmaintaindisaster recovery and business contingency plans (c) appoint an independentthirdparty specialist to assess its security and operations (d) clearly communicatetocustomers their policies with reference to rights and responsibilities of the bankandcustomer, particularly issues arising from errors in security systems andrelatedprocedures. For liquidity risk, banks, especially IOBs, should establishrobust liquiditycontingency plans and appropriate Asset-Liability Managementsystems. As regardsoperational risk, banks should carefully manage outsourcing ofoperations, and maintaincomprehensive audit trails of all such operations. As far asbusiness risk is concerned,IOBs should maintain and continually update a detailed systemof performancemeasurement.3.5.3.3MAS encourages financial institutions and industry associations such astheAssociations of Banks in Singapore (ABS) to play a proactive role in

educatingconsumers on benefits and risks on new financial products and servicesoffered bybanks, including Internet banking services.3.5.4 Hong Kong:3.5.4.1There has been a spate of activity in Internet banking in Hong Kong. Twovirtualbanks are being planned. It is estimated that almost 15% of transactions areprocessedon the Internet. During the first quarter of 2000, seven banks havebegun Internetservices. Banks are participating in strategic alliances for e-commerce ventures and areforming alliances for Internet banking servicesdelivered through Jetco (a bank consortium operating an ATM network in HongKong). A few banks have launchedtransactional mobile phone banking earlierfor retail customers.3.5.4.2The Hong Kong Monetary Authority (HKMA) requires that banks mustdiscuss theirbusiness plans and risk management measures before launching a transactionalwebsite.HKMA has the right to carry out inspections of security controls and obtainreportsfrom the home supervisor, external auditors or experts commissioned toproducereports. HKMA is developing specific guidance on information securitywith theguiding principle that security should be fit for purpose. HKMA requiresthat risks inInternet banking system should be properly controlled. The onus ofmaintainingadequate systems of control including those in respect of Internet

banking ultimatelylies with the institution itself. Under the Seventh Schedule to theBanking ordinance,one of the authorization criteria is the requirement to maintainadequate accountingsystem and adequate systems control. Banks should continueto acquire state-of-the arttechnologies and to keep pace with developments insecurity measures. The HKMAssupervisory approach is to hold discussions withindividual institutions who wish toembark on Internet banking to allow them todemonstrate how they have properlyaddressed the security systems before starting


26/77

to provide such services, particularly inrespect of the following(i) encryption byindustry proven techniques of dataaccessible by outsiders, (ii) preventive measuresfor unauthorized access to the banksinternal computer systems, (iii) set ofcomprehensive security policies and procedures,(iv) reporting to HKMA allsecurity incidents and adequacy of security measures on atimely basis. At present,it has not been considered necessary to codify securityobjectives and requirementsinto a guideline. The general security objectives forinstitutions intending to offerInternet banking services should have been consideredand addressed bysuch institutions.3.5.4.3HKMA has issued guidelines on Authorization of Virtual Banks under

Section16(10) of the Banking Ordinance under which (i) the HKMA will notobject to theestablishment of virtual banks in Hong Kong provided they can satisfy thesameprudential criteria that apply to conventional banks, (ii) a virtual bank whichwishes tocarry on banking business in Hong Kong must maintain a physical presence in

HongKong; (iii) a virtual bank must maintain a level of security which is appropriate to thetypeof business which it intends to carry out. A copy of report on security of computerhardware, systems, procedures, controls etc. from a qualified independentexpertshould be provided to the HKMA at the time of application, (iv) a virtualbank must put in place appropriate policies, procedures and controls to meet therisksinvolved in the business; (v) the virtual bank must set out clearly in the termsandconditions for its service what are the rights and obligations of its customers(vi)Outsourcing by virtual banks to a third party service provider is allowed,providedHKMAsguidelines on outsourcing are complied with. There are principlesapplicableto locally incorporated virtual banks and those applicable to overseas-incorporatedvirtual banks.3.5.4.4Consumer protection laws in Hong Kong do not apply specifically to e-banking butbanks are expected to ensure that their e-services comply with therelevant laws. TheCode of Banking Practice is being reviewed to incorporatesafeguards for customers of e-banking.3.5.4.5Advertising for taking deposits to a location outside Hong Kong is aviolation unlessdisclosure requirements are met. Consideration is being given as towhether this is nottoo onerous in the context of the global nature of the Internet.3.5.4.6Recognising the relevance of Public Key Infrastructure (PKI) in Hong

Kong to thedevelopment of Internet banking and other forms of e-commerce, thegovernment of Hong Kong has invited the Hong Kong Postal Authority to serve aspublic CertificateAuthority (CA) and to establish the necessary PKIinfrastructure. There is no bar,however, on the private sector setting up CAs toserve the specific needs of individualnetworks. There should be cross-references and mutual recognition of digitalsignatures among CAs. TheGovernment is also considering whether and, if so, howthe legal framework should


27/77

be strengthened to provide firm legal basis for electronictransactions (particularlyfor digital signatures to ensure non-repudiation of electronicmessages andtransactions).3.5.5 Japan:3.5.5.1Banks in Japan are increasingly focusing on e-banking transactions withcustomers.Internet banking is an important part of their strategy. While some banksprovideservices such as inquiry, settlement, purchase of financial productsand loan application,others are looking at setting up finance portals with non-finance business corporations.Most banks use outside vendors in addition to in-house services.3.5.5.2The current regulations of the Bank of Japan on physical presence of bankbranchesare undergoing modifications to take care of licensing of banks and theirbranches withno physical presence. The Report of the Electronic FinancialServices Study Group(EFSSG) has made recommendations regarding the

supervision and regulation of electronic financial services. Financialinstitutions are required to take sufficientmeasures for risk management of serviceproviders and the authorities are required toverify that such measures have beentaken. Providing information about non-financialbusinesses on a bank web site isnot a violation as long as it does not constitute abusiness itself.3.5.5.3With respect to consumer protection it is felt that guidance and notregulations shouldencourage voluntary efforts of individual institutions in thisarea. Protection of privateinformation, however, is becoming a burning issue in Japan bothwithin and outside thefield of e-banking. Japanese banks are currently requestedto place disclosurepublications in their offices (branches) bythe law. However, InternetOnly banks arefinding it difficult to satisfy thisrequirement. The Report of the EFSSG recommendsthat financial service providersthat operate transactional website should practice onlinedisclosure throughelectronic means at the same timing and of equivalent contents aspaper baseddisclosure. They should also explain the risks and give customers a fairchance toask queries. The Government of Japan intends to introducecomprehensiveData Protection Legislation in the near future. .3.5.5.4There are no restrictions or requirements on the use of cryptography. TheMinistryof International Trade and Industry (MITI)s approval is required to report

encryptiontechnology.3.6ConclusionWorld over, electronic banking is making rapid strides due to evolvingcommunicationtechnology. Penetration of Internet banking is increasing in mostcountries. WirelessApplication Protocol (WAP) is an emerging service whichbanks worldwide are also


28/77

offering. The stiff competition in this area exposes banks to substantial risks. Theneed is being felt overseas that transparency and disclosure requirements should bemetby the e-banking community. While existing regulations and legislations applicabletotraditional banking are being extended to banks Internet banking andelectronicbanking services, it is recognized that Internet security, customerauthentication andother issues such as technology outsourcing pose unique risks.Central Banksworldwide are addressing such issues with focused attention. Speciallegislations andregulations are being framed by the regulators and supervisors forproper managementof the different types of risks posed by these services. Thereliance on outsourcing is anarea where overseas regulators and supervisors arefocusing their attention, with bankshaving to regularly review and test businesscontinuity, recovery and incidence responseplans in order to maintaintheir reputation of trust. Consumer protection and dataprivacy are areas whichassume great significance when banking transactions are carriedover a medium

as insecure as the Internet. Many countries are looking at specialconsumerprotection/data privacy legislation for an e-commerce environment. Thepresence ofvirtual banks orInternet only banks and the licensing requirementsrequired forsuch entities are also areas which are being looked into byoverseasauthorities. There has also been co-operation among the regulators andsupervisors tomeet the challenges of virtual cross border e-banking, particularlyin the light of thepossibility of increased money laundering activities through themedium of Internet.Internet banking is universally seen as a welcome development, andefforts are beingmade to put in place systems to manage and control the risksinvolved withoutrestricting this service.

Chapter -4 -The Indian Scenario4.1 The entry of Indian banks into Net Banking4.1.1Internet banking, both as a medium of delivery of banking services and as astrategictool for business development, has gained wide acceptance internationallyand is fastcatching up in India with more and more banks entering the fray. Indiacan be said tobe on the threshold of a major banking revolution with net bankinghaving already beenunveiled. A recent questionnaire to which 46 banks responded,has revealed that atpresent, 11 banks in India are providing Internet banking

services at different levels, 22banks propose to offer Internet banking in near futurewhile the remaining 13 bankshave no immediate plans to offer such facility.4.1.2At present, the total Internet users in the country are estimated at9 lakh. However,this is expected to grow exponentially to 90 lakh by 2003. Onlyabout 1% of Internetusers did banking online in 1998. This increased to 16.7% inMarch 2000.* Thegrowth potential is, therefore, immense. Further incentivesprovided by banks woulddissuade customers from visiting physical branches, and


29/77

thus get hooked to theconvenience of arm-chair banking. The facilityof accessing their accounts fromanywhere in the world by using a homecomputer with Internet connection, isparticularly fascinating to Non-ResidentIndians and High Networth Individuals havingmultiple bank accounts.

4.1.3Costs of banking service through the Internet form a fraction ofcosts throughconventional methods. Rough estimates assume teller costat Re.1 per transaction,ATM transaction cost at 45 paise, phone bankingat 35 paise, debit cards at 20 paiseand Internet banking at 10 paiseper transaction. The cost-conscious banks in thecountry have thereforeactively considered use of the Internet as a channel forprovidingservices. Fully computerized banks, with better managementof theircustomer base are in a stronger position to cross-sell their

products through thischannel.* Source : India Research May 29 , 2000 ,Kotak Securities4.2 Products and services offered

4.2.1Banks in India are at different stages of the web-enabled bankingcycle. Initially, abank, which is not having a web site, allows its customer tocommunicate with itthrough an e-mail address; communication is limited to a small numberof branches andoffices which have access to this e-mail account. As yet, many scheduledcommercialbanks in India are still in the first stage of Internet banking operations.4.2.2With gradual adoption of Information Technology, the bank puts up a web-

site thatprovides general information on the banks, its location, services availablee.g. loan anddeposits products, application forms for downloading and e-mailoption for enquiriesand feedback. It is largely a marketing or advertising tool. Forexample, Vijaya Bank provides information on its web-site about its NRI and otherservices. Customers arerequired to fill in applications on the Net and can laterreceive loans or other productsrequested for at their local branch. A few banksprovide the customer to enquire intohis demat account (securities/shares) holdingdetails, transaction details and status of instructions given by him. These web sitesstill do not allow online transactions fortheir customers.4.2.3Some of the banks permit customers to interact with them and transactelectronicallywith them. Such services include request for opening ofaccounts, requisition forcheque books, stop payment of cheques, viewing andprinting statements of accounts,movement of funds between accounts within thesame bank, querying on status of requests, instructions for opening of Lettersof Credit and Bank Guarantees etc. Theseservices are being initiated by banks like ICICIBank Ltd., HDFC Bank Ltd. Citibank,Global Trust Bank Ltd., UTI Bank Ltd., Bank of


30/77

Madura Ltd., Federal Bank Ltd. etc.Recent entrants in Internet banking areAllahabad Bank (for its corporate customersthroughits Allnet service) and Bank of Punjab Ltd. State Bank of India hasannouncedthat it will be providing such services soon. Certain banks like ICICI Bank Ltd.,have gone a step further within the transactional stage of Internet bankingbyallowing transfer of funds by an account holder to any other account holder ofthebank.4.2.4Some of the more aggressive players in this area such as ICICI Bank Ltd.,HDFCBank Ltd., UTI Bank Ltd., Citibank, Global Trust Bank Ltd. and Bank ofPunjab Ltd.offer the facility of receipt, review and payment of bills on-line. These banks havetiedup with a number of utility companies. The Infinity service of ICICI Bank Ltd. also

allows online real time shopping mall payments to be made by customers. HDFC Bank Ltd.has made e-shopping online and real time with the launch of its payment

gateway.It has tied up with a number of portals to offer business-to-consumer

(B2C) e-commerce transactions. The first online real time e-commerce credit cardtransaction inthe country was carried out on the Easy3shoppe.com shopping mall,

enabled by HDFCBank Ltd. on a VISA card.4.2.Banks like ICICI Bank Ltd., HDFC Bank Ltd. etc. are thus looking topositionthemselves as one stop financial shops. These banks have tied up withcomputertraining companies, computer manufacturers, Internet Services Providersand portalsfor expanding their Net banking services, and widening theircustomer base. ICICIBank Ltd. has set up a web based joint venture for on-linedistribution of its retailbanking products and services on the Internet, incollaboration with Satyam Infoway, aprivate ISP through a portal named asicicisify.com. The customer base of www.satyamonline.com portal is alsoavailable to the bank. Setting up of Internetkiosks and permeation through thecable television route to widen customer base areother priority areas in the agendasof the more aggressive players. Centurion Bank Ltd.has taken up equity stake inthe teauction.com portal, which aims to bring togetherbuyers, sellers, registeredbrokers, suppliers and associations in the tea market andsubstitute their physicalpresence at the auctions announced.4.2.6Banks providing Internet banking services have been entering into agreementswiththeir customers setting out the terms and conditions of the services. The

terms andconditions include information on the access through user-id and secretpassword,minimum balance and charges, authority to the bank for carrying outtransactionsperformed through the service, liability of the user and the bank,disclosure of personalinformation for statistical analysis and credit scoring also,non-transferability of thefacility, notices and termination, etc.4.2.7The race for market supremacy is compelling banks in India to adopt thelatesttechnology on the Internet in a bid to capture new markets and


31/77

customers. HDFCBank Ltd. with its Freedom- the e-Age Saving AccountService, Citibank withSuvidha and ICICI Bank Ltd. with its Mobile Commerce

service have tied up withcellphone operators to offer Mobile Banking to theircustomers. Global Trust BankLtd. has also announced that it has tied up withcellular operators to launch mobilebanking services. Under Mobile Bankingservices, customers can scan their accountsto seek balance and payments status orinstruct banks to issue cheques, pay bills ordeliver statements of accounts. It isestimated that by 2003, cellular phones will havebecome the premier Internetaccess device, outselling personal computers. Mobilebanking will further minimise theneed to visit a bank branch.4.3 The Future Scenario4.3.1Compared to banks abroad, Indian banks offering online services still have along wayto go. For online banking to reach a critical mass, there has to besufficient number of users and the sufficient infrastructure in place. The

Infinity product of ICICI Bank Ltd. gets only about 30,000 hits per month, witharound 3,000 transactions taking placeon the Net per month through thisservice. Though various security options like lineencryption, branch connectionencryption, firewalls, digital certificates, automatic sign-offs, random pop-ups anddisaster recovery sites are in place or are being looked at,there is as yet noCertification Authority in India offering Public Key Infrastructurewhich isabsolutely necessary for online banking. The customer can only be assured of asecured conduit for its online activities if an authority certifying digital signatures isinplace. The communication bandwidth available today in India is also not enoughtomeet the needs of high priority services like online banking and trading. Banks offeringonlinefacilities need to have an effective disaster recovery plan along withcomprehensive riskmanagement measures. Banks offering online facilities also need tocalculate their downtimelosses, because even a few minutes of downtime in aweek could mean substantial losses. Some banks even today donot have uninterruptedpower supply unit or systems to take care of prolongedpower breakdown. Properencryption of data and effective use of passwords arealso matters that leave a lot to bedesired. Systems and processes have to be putin place to ensure that errors do nottake place.4.3.2Users of Internet Banking Services are required to fill up the application

forms onlineand send a copy of the same by mail or fax to the bank. A contractualagreement isentered into by the customer with the bank for using the Internetbanking services. Inthis way, personal data in the applications forms is being he

Documents

Report on Internet Banking Prapaared by Praasant Kumar Sahu