The business of banking is synonymous with trust. Bank customers measure this trust through the questions: is my wealth secure, is my privacy protected? With the advent of Internet banking and an increase in global terrorism, banks face complex security challenges.Security in a traditional bank concerned physical access to branches, safe deposit vaults, and guarding the movement of cash and sensitive documents. The use of IT till the 1960s was minimal. But with the development of new networking paradigms that culminated into the World Wide Web, branches were networked; and, at the turn of the millennium, we witnessed the launch of Internet banking. Banking transactions became cross-border and truly global for the first time. Today, both physical security and information security are vital for the banking industry.

Physical access to branches and vaults is still monitored by specialised security agencies, while ATMs, which are largely unmanned, are secured through smart cards or magnetic strip cards that can double up as your ATM/debit card. Cash-carrying vans are now wired with a variety of sensors that employ biometric techniques for identification through fingerprint, whole palm or retina scans. The movement of these vans can be tracked through satellites.

The area of information security is far more challenging. The physical ledger has now been replaced by a relational database management system. Your bank balance is merely an entry in a database. In addition, old standalone MIS/EDP software applications are giving way to core-banking applications. The product specialist is no longer an end-user of the IT systems of a bank; the customer now accesses banking systems through a variety of electronic channels, including the Web and the mobile phone.

This raises four issues: authentication, authorisation, data integrity and non-repudiation. Banks typically use a username-password combination to manage the authentication process for retail users and more sophisticated encryption-based mechanisms for corporate customers. Internet bank customers, on their part, must check the validity of the digital certificate assigned to the Web server of the bank. In order to authorise transactions such as fund transfer over the Web, banks usually require additional passwords. For additional security, some banks distribute pager-like devices that are synchronised to their Web infrastructure. They generate temporary security codes that need to be keyed in on the authorisation Web page.

Integrity of the data has two aspects: reliability of the software and prevention of hacking. Non-repudiation deals with establishing a unique digital identity for an individual or a corporate entity. The digital signature — an encryption mechanism — stored on smart cards seems to be the only practical way for ensuring non-repudiation. Incidentally, the Indian cyber law recognises digital signatures.

The prevention of hacking incidents is carried out through network devices such as firewalls and intrusion detection systems. Normally, the computers that host business logic and data are separated from the external world (the Internet) and internal users (the Intranet) through multiple firewalls by creating a demilitarised zone. Many bankers believe leakage of information through internal staff is a more serious threat than that from the external hacking community. Compliance issues also imply secure storage of data for several years.

In order to prevent financial misdemeanours — like tax evasion, and movement of funds emanating from criminal and terrorist activities — security measures must begin at the time of account opening. The rise of e-commerce has given impetus to Web-based payment facilitators (called payment banks in the European Union). These purely Internet banks use a software that interacts with the IT infrastructure of brick-and-mortar banks and verifies customer credentials. Anti-money laundering and know your customer are becoming buzzwords in banking circles.

Security is an important aspect of overall risk management of a bank. Its successful implementation depends on the creation of robust security policies, participation of the senior management and appropriate training of the bank personnel. To repeat a cliché, eternal vigilance continues to be the price for safe banking.

The writer is a banking and financial services technology consultant hemant@adarkar.com

‘The customer should benefit’
S. Chatterjee Executive director, UTI Bank

On the role of technology. Technology should benefit the customer the most. It should enable the bank to lower costs, to deliver consistent and efficient service, and to contain operational risks associated with delivering quality service.

On offering different services to different customers. Our products are different, but our technology is the same. We segment our customer base on factors like income and saving propensity. For each segment, we design and price our products accordingly — products for high net worth individuals will differ from those for the mass affluent. We were born in a computerised environment and that enables us to deliver products across geographies. We have a centralised database. We think in terms of design of products and in terms of delivery of products through technology.

‘Technology is a big enabler’
Bhaskar Ghosh Managing director, IndusInd Bank

On technology being an enabler. Every week there's some new technology coming. So, banks are constantly looking to upgrade their technology and offer new services. Since a lot of service upgrades have been driven by technology, customers are less tolerant of service mistakes.

On technology being a differentiator. A lot of standard products are technology-driven, but technology is not a great leveller. The higher the level of technology, the more the scope for differentiation in service, as we can customise products and services.