Technology in Indian Banking

We have been witnessing since early 1980s the phenomenon of widespread use of
computers and communication technology in the industrial, as well as emerging market
economies. This has resulted in faster funds movement across nations and borders.
Globalisations of economies and financial liberalisation within the economies have
opened new opportunities of growth for techno-savvy institutions, while for the others
these have resulted in shrinkage of revenues. The use of IT in the banking industry in
India has however been somewhat limited and has, as a result, restricted our presence in
international operations. Even in critical spheres such as those involving funds transfer,
and MIS based decision-making, there has been little evidence of proactive movement
towards wholesale computerisation up to the middle of the 1990s.

However, Indian Banks have come to start this process after a decade or so. It is only
with the growing recognition of the need for having in place financial reforms, has the
interest in IT application in the banking sector in India increased. But though the process
started late, computerising the vast network of branches of several banks is planned and
being executed methodically and the benefit is expected to be fully perceived by the year
2010.

The RBI Report on Banking published on 15.11.2001 starts with the opening narration-

"In recent years, the banking industry has been undergoing rapid changes, reflecting a
number of underlying developments. The most significant has been advances in
communication and information technology, which have accelerated and broadened the
dissemination of financial information while lowering the costs of many financial
activities. A second key impetus for change has been the increasing competition among a
broad range of domestic and foreign institutions in providing banking and related
financial services. Third, financial activity has become larger relative to overall economic
activity in most economies. This has meant that any disruption of the financial markets or
financial infrastructure has broader economic ramifications than might have been the case
previously".

Let us discuss in detail the Technology in Banking:

Payment and Settlement Systems

As part of restructuring of the banking sector, special emphasis has been accorded to
improvements in payment and settlement systems. Prominent among the measures
initiated in these areas include introduction of Electronic Funds Transfer (EFT), Real
Time Gross Settlement System (RTGS), Centralised Funds Management System
(CFMS), the NDS and the Structured Financial Messaging Solution (SFMS). The SFMS
would be the backbone for all message-based communication over the Indian Financial
Network (INFINET).

Electronic Funds Transfer (EFT)

The EFT scheme enables transfer of funds within and across cities and between branches
of a bank and across banks. The scheme, which is operated by the Reserve Bank, is
available for funds transfer across thirteen major cities in the country, as on September
30, 2001. The facility is being extended to two more centres. The scheme was originally
intended for small value transactions. However, with effect from October 1, 2001, even
large value transactions (as high as Rs. 2 crore) have also been permitted.

Real Time Gross Settlement System (RTGS)

The work on operationalisation of RTGS system continued during the year. The major
project components completed during the year included the finalisation of the design for
RTGS system, issue of the tender for the development of the software, evaluation of the
technical components of the bids received, site visits and evaluation of the commercial
proposals. The implementation of RTGS is targeted to be accomplished within 12 to 15
months of award of the contract for software development and implementation.

Centralised Funds Management System (CFMS)

The CFMS would enable the funds and treasury managers of commercial banks to obtain
the consolidated account-wise, centre-wise position of their balances with all the 17
Deposit Accounts Departments (DAD) of the Reserve Bank. The system has been tested
prior to installation and phase-wise implementation commenced from November 2001.
The CFMS would enable better funds management by constituent current account holders
of the Reserve Bank

Structured Financial Messaging Solution (SFMS)

At the base of all inter-bank message transfers using the INFINET is the SFMS. SFMS
would serve as a safe, secure communication carrier built with templates for transmission
of intra and inter-bank messages in fixed message formats, which would facilitate
"Straight Through Processing". SFMS comprises the central server in the form of a hub
located at the Institute for Development and Research in Banking Technology (IDRBT),
Hyderabad and individual bank gateways to which the branches of the banks would be
connected with a provision for banks to have multiple bank level gateways. The SFMS
would provide for all inter-bank transactions to be stored and switched at the central hub,
while intra-bank messages will be switched and stored by the bank gateway. Adequate
security in the form of smart card authentication apart from the Public Key Infrastructure
(PKI) would be an integral part of the SFMS. All these would result in the security levels
matching those of international standards.
Working Group on Improvements in Monitoring of Clearing Systems

Following the recent developments in the banking sector, a Working Group on

'Improvements in Monitoring of Clearing Systems' was constituted by the Reserve Bank
to examine the major issues pertaining to management and operation of the Clearing
Houses and make necessary recommendations. The Group submitted the Report in May
2001. The recommendations of the Group were discussed with a select group of bankers
and regulators. Based on these discussions, a roadmap has been drawn for
implementation of these recommendations which fall under the following major areas of
control / monitoring viz.

a. monitoring presentations by banks;

b. monitoring returns by banks;
c. accounting of the clearing settlements;
d. formation of an Internal Group at each Regional Office of the Reserve Bank to
review the trends reported by the clearing house and plan follow up action as
deemed necessary;
e. formation of a central monitoring cell to monitor the trends on a national basis
and provide warning signals wherever necessary; and
f. implementation of MIS to serve as early warning signals for better surveillance
over the activities of the clearing member banks.

The recommendations which could be implemented immediately are being taken up with
the four major metropolitan clearing houses managed by the Reserve Bank. Action on
implementing these at the clearing houses managed by State Bank of India / other banks
would also be taken up concurrently.

Imaging of Instruments

A process of capturing the images of the instruments as they are being processed was
introduced during the year at the four metropolitan National Clearing Cells managed by
the Reserve Bank. Imaging facilitates in quicker balancing during the cheque-processing
cycle and also in reducing clearing reconciliation differences.

Electronic Clearing Services

Emphasis on widespread usage of Electronic Clearing Service (ECS) is being prescribed

by the Reserve Bank to encourage non-paper based funds movement. The prime thrust
areas forming part of this vital activity include the extension of ECS to more centres,
inclusion of more customers under the ambit of the scheme and provision of a centralised
facility for affording payments.

Indian Financial Network (INFINET)

The INFINET has been operational for almost two years. Started as a closed user group
communication network for the banking sector in India, the members of this network are
the public sector banks. During the year 2000-01, the membership was opened up for
other banks and financial institutions that need to communicate with one another.

Computerisation in Public Sector Banks

The progress in implementation of the directive of the Central Vigilance Commission

(CVC) on the need to computerise 70 per cent of the banking business by public sector
banks before January 1, 2001 revealed that as on December 31, 2000, 13 banks had
achieved the desired level. Figures as at end of March 2001, indicated that 23 banks have
achieved the target, while two banks have computerisation levels ranging between 60 per
cent and 70 per cent and two others were at a level below 60 per cent.

Computerization in Banking Industry - Statistics - ( Data as on 30/9/2001)

(Data pertains to Public Sector banks only - Compiled by RBI)

Total No. of branches in India 46,426

Partial Computerisation at Branch level 13,218
No. of Fully Computerised Branches 9,777
No. of existing Service Branches 376
No. of Partially Computerised Service Branches 134
No. of Fully Computerised Service Branches 252
Total ATMs installed 895
On-line terminals at Corporate sites installed 3,354
Credit Cards Issued 8,75,788
Smart Card (as Electronic Purse) Issued 8,097
Debit Cards (as ATM Cards) Issued 2,19,058
Branches covered under RBI's EFT Scheme 3,536
Corporate Customers availing of ECS-Credit
170
Clearing
Corporate Customers [Utility Services] under ECS-
9
Debit/RAPID
New MICR Cheque Processing Centres to be set up 26
Nodes on internal Captive network in Banks 2,335
Nodes on RBINET in banks 109
Branches connected to other Networks 2112
Nodes on VSAT Network for Industry 2023
Branches connected to SWIFT 869
 Currency Chest for other branches linked to
726
NICNET
E-Mail Connections 7,178
11 banks,
Banks & Branches covered under the Customs-
28
Banks EDI Project
branches

Cheque Clearing

Magnetic Ink Character Recognition (MICR) based cheque-clearing accounts for about
65 per cent of the value of cheques processed in the country. In addition, Magnetic Media
Based Clearing Systems account for about 10 per cent of the remaining value while
claim-based processes cover the rest of clearing. It may be pertinent to note that growth
in cheque volumes has decelerated to 10 per cent in 2000-01 from 12 per cent during the
previous year. This is reflective of general trends the world over, indicating the migration
towards electronic funds transfer mechanisms.

Computerisation of Banks India - Issues & Events

In the Eighteenth and Nineteenth Centuries the Industrial revolution brought profound
changes in the life style of man. Many activities that were hitherto performed by man
employing his hands and his finger skill came to be carried at great speed and efficiency
by machines. Man continued to carry out only those functions that needed his thinking
process to be involved.

The Industrial Revolution on account of mass production of goods and services brought
large commercial and business organizations, transcending national boundaries that
employed several thousands of persons for performing routine, repetitive clerical tasks,
relating to record keeping, maintaining accounts, attending/answering correspondence,
preparing vouchers, invoices, bills and multiple of such other functions. This created
white-collar employment for educated persons by leaps and bounds.

Clerical task is defined as a routine and repetitive performance involving, adding,

subtracting, multiplying, dividing numbers, and duplicating data/information from one
source to another. The tools employed are "a pen, ink and paper", the knowledge of
arithmetic tables, the basic knowledge of a language and minimum acquaintance with
rules & procedures of the organisation that are followed day in day out and relevant to the
job of the particular employee. Two plus two is four. It is always four. Should we need an
educated worker to compute this task again and again? A business needed human agents
to attend to production, marketing, finance etc. depicting high-level tasks. But more and
more people were employed for performing low-level tasks.

However, as time went on the internal chorus of record keeping multiplied geometrically
as commerce and industry grew in size and volume. The civil services of the Government
and service-based organizations came in the forefront to inherit this overload of white-
collar employment. To quote a concrete example a major nationalised bank in India,
which employed merely 3000 workers in the Fifties (around the time I entered its service
in 1957), came to engage over 70,000 employees towards the end of the century, i.e. year
1996-97,when I retired from service from that bank.

The Government of India and the States including government owned bodies employed
as many as 100 lakh junior employees at the clerical and subordinate level. Such
employees by virtue of their strength of numbers organise themselves into powerful trade
unions, and aggressively utilise the bargaining power without reference to the input
benefit the organization is deriving from them and the productivity they are providing.

In this world of human beings necessity is the mother of inventions. After 15 years of
educational studies, an individual should not be employed for routine repetitive tasks.
This makes him dull and feels the work monotonous without job satisfaction. He turns
back and diverts his loyalty to an informal group i.e. the trade union. He feels happy once
in a month on payday, but on other days his work leaves him nothing to rejoice. There are
neither opportunities nor challenges to bring in his innovative or creative genius. As years
passes the clerical employment results in the individual losing efficiency and productivity
to progressively depict a trend of progress in reverse.

The advent of mechanical calculating devices and later electronic computing in the West
heralded a new age, that dispensed with this white collar and white-elephant employment
progressively. This evolved in the west three decades before, but the advent of this
evolution in India is only now taking place.

To quote again a concrete example- the statistics of two banking institutions in India, the
largest and the next large in size can be fruitfully compared. These are the State Bank of
India, that was until recently employing 2.3 Lakh workers, for a turn over of Rs.36,000
Crores (Deposit 25000 + Advances 11000 Crores).

ICICI bank has at present less than 1000 branches and around 10000 employees. It has a
turnover of Rs.23000 Crores (Deposits 16 + Advances 7 thousand Crores). The bank
started functioning from the year 1997 and has gained the No.2 position in status in India
after SBI in volume of business turnover within 5 years of its operation. It will be
interesting to know that CMD of ICICI Bank draws annual emoluments of Rs.150 Lakhs,
while CMD of SBI around Rs.4 to 5 Lacs. ICICI is a new age high-tech and fully
computerised bank, while SBI retained its manual operations in totality up to 1993 and
maintained the work force of that time up to 2001, though it is partially computerised
starting from the year 1993.

The per employee turnover for ICICI bank is Rs.2.3 Crores, that for SBI is Rs.1.56
Lakhs. The gap accounts for the difference between manual operations and high-tech
banking.

If we project the future in respect of State owned banks, which employ presently nearly
10 Lakh employees, computerisation is destined to bring about rapid changes. By about
the year 2010 the present turnover of commercial banks in India may double or even
treble to around Rs.30 to 40 Lakh Crores, but these Banks will have no need of 75
percent (today 25 percent of the work force is subordinate staff, 50 percent is clerical
staff and 25 percent is the officers) of the existing workforce by 2010. Only in very few
hinterland rural pockets there may be a possibility of a need of the present structure of
workforce. The objective of the recently administered VRS is to prepare for this reality of
the first decade of the New Millennium, where banking will be more tech based and less
people based.

Computerisation brings transparency, improves customer care and customer-service

tremendously and reduces substantially scope for corruption or extending undue favour to
particular constituents and uneven service to others.

Challenges Faced in Computerisation

Computerisation is expensive and needs huge investment in hardware and software and
subsequent maintenance. The National Stock Exchange, India's No.1 user in
computerised service has spent Rs.180 Crores to enable investors and brokers across the
country to trade securities online. The rate of obsolescence in respect of both hardware
and software is considerable. New and better products are emerging in the market, whose
use would enable a rival organization to throw a challenge.

Computer crimes are committed widely in the West. India is no less potentially exposed
to this risk, when turnover under Internet banking increases. It is easier to enforce
security of information and accountability of performers in a manual system. But it needs
elaborate steps to incorporate these features in the electronic system.

The structure of legal system is so far based on manual record keeping. It has to provide
for electronic data to be accepted legally as evidence and in contracts.

Indian banking has accepted computerisation since 1993, more out of sheer compulsion
and necessity to cope up increasing overload and incompatibility of the manual system to
sustain further growth. The following pages you are presented a series of articles
discussing the various facets of this momentous event and its far-reaching effects
anticipated to unfold in the coming decade.

Role of RBI in Computerisation of Banks in India

Computerisation became popular in the western countries right from the Sixties. Main
Frames were extensively used both by the Public Institutions and Major Private
Organizations. In the Seventies Mini Computer became popular and Personal Computers
in early Eighties, followed by introduction of several software products in high level
language and simultaneous advancement in networking technology. This enabled the use
of personal computers extensively in offices & commercial organisations for processing
different kinds of data.
However in India organised Trade Unions were against introduction of computers in
Public Offices. Computerisation was restricted to major scientific research organizations
and Technical Institutes and defence organizations. Indian Railways first accepted
computerisation for operational efficiency.

The Electronics Corporation of India Ltd. was set up in 1967 with the objective of
research & development in the fields of Electronic Communication, Control,
instrumentation, automation and Information Technology. CMC Ltd (Computer
Maintenance Corporation of India Ltd.) was established in 1976 to look after
maintenance operations of Main Frame Computers installed in several organisations in
India, to serve the gap, when IBM left India, due to the directive of the then Central
Government.

In the Private Sector the first major venture was TCS (Tata Consultancy Services) which
started functioning from 1968. In the year 1980 a few batch-mates of IIT Delhi pioneered
the effort to start a major education centre in India to impart training in Information
Technology and their efforts resulted in the setting up of NIIT in 1981. Aptech Computer
Education was established in 1986 following the experiment of NIIT.

Before large scale computerisation, computer education became popular in India and
coveted by bright students, when several Engineering Colleges and Technical Institutes
introducing Post Graduate Degree courses in Computer Engineering. The booming
hardware and software industry in the West attracted Indian students and many of them
migrated for better opportunities to the U.S.A. and settled there. We have today the
paradox of India being one of the major powers possessing diverse talents in fields of
software development, but at the same time, we are still a decade back to the using
computerised service extensively in the country and bringing the facility to the realms of
the common man.

Rapid development of business and industry brought manual operations of data, a

saturation point. This acted as a overload on the growing banking operations.
Government owned banks in general found the "house-keeping" unmanageable. Several
heads of accounts in particular inter-bank clearing and inter-branch reconciliation of
accounts went totally out of control.

Low productivity pushed cost of wages high and employees realised that unless they
agreed for computerisation further improvement in their wage structure was not possible.

In the year 1993, the Employees' Unions of Banks signed an agreement with Bank
Managements under the auspices of Indian Banks' Association (IBA). This agreement
was a major break through in the introduction of computerised applications and
development of communication networks in Banks.

The first initiatives in the area of bank computerisation, however, stemmed out of the
landmark report of the two committees headed by the former Governor of the Reserve
Bank of India and currently Governor of Andhra Pradesh, His Excellency, Dr. C.
Rangarajan. Both the reports had strongly recommended computerisation of banking
operations at various levels and suggested appropriate architecture.

In the 'seventies, there was a four-fold increase in the number of branches, five-fold
increase in advances and a six-fold increase in deposits'. Mechanisation was seen as the
best solution to the "problems inherent in the manual system of operations, their adverse
impact on customer services and the grave dangers to banks in the context of increasing
incidence of frauds.

The first of these Committees, viz. the Committee on the Mechanization of the Banking
Industry (1984) was set up for the first time to suggest a model for mechanisation of bank
branches, regional / controlling offices and Head Office necessitated by the explosive
growth in the geographical spread of banking following nationalization of banks in 1969.

In the first phase of computerisation spanning the five years ending 1989, banks in India
had installed 4776 ALPMs at the branch level, 233 mini computers at the
Regional/Controlling office levels and trained over 2000 programmers/systems personnel
and over 12000 Data Entry Terminal Operators. The Reserve Bank too had embarked
upon an ambitious program to bring about state-of-the-art technology in the clearing
process and had introduced MICR clearing at 4 centres and computerized clearing
settlement at 9 centres.

Against this backdrop, the Committee on Computerisation in Banks was set up once
again under Dr. Rangarajan's Chairmanship to draw up a perspective plan for
computerisation in banks. In its report submitted in 1989, the Committee acknowledged
the gains of the initial efforts and sought to move away from the stand-alone dedicated
systems to an on-line transaction processing environment in branch banking. It
recommended that the thrust of bank computerisation for the following 5 years should be
to fully computerise the operations at both the front and back offices of large branches
then numbering around 2500.

Progress Made after the Report of the Second Committee

Computerisation efforts among the Public Sector Banks (PSBs) in India, which account
for over 80 per cent of the assets of the entire banking system, has been substantial. Of
the 45,439 branches of the PSBs as on September 30, 1998, as many as 3,668 branches
serving customers directly had been fully computerised with a complement of more than
65,000 computer nodes/PCs. A total of 6961 branches have been partially computerised -
with Advanced Ledger Posting Machines, Electronic Accounting Machines and Personal
Computers. Of the 336 service branches, 149 had been fully computerised and 166 had
been partially computerised.

The PSBs had installed 194 Automated Teller machines (ATMs) all over the country; they
had issued over 8.5 lakh credit cards and over 32,000 debit cards. The latest in this area
of activity has been the issue of SMART cards.
For international interconnectivity of computers and for cross-border transactions, 568
branches have been connected to the Society for Worldwide Interbank Financial
Telecommunication (popularly known as S.W.I.F.T. Local Area Network of branches has
been established at 571 branch locations using internal captive networks while 148
branches are on the RBINET.

The Reserve Bank then identified the Payment Systems area as thrust region for
computerisation in banks. The Bank has constituted a Payment Systems Advisory
Committee and an operational group to make policy guidelines. The payment systems
which constitute the arteries of any economy has been recognised as the focus area for
this group. This group was asked to consolidate the existing payment systems, developing
new, technologically advanced modes of payments and integration of different payment
and settlement systems into an efficient, integrated system that will function as a real time
gross settlement (RTGS) in an on-line environment.

To facilitate these objectives, a Computer based network has also been established. This
Wide Area Satellite Based network, called the Indian Financial Network (INFINET) aims
at connecting computers at branches of banks. 479 branches at commercially important
cities are to be connected to the INFINET in the first phase while the next phase would
witness the coverage being extended to about 5000 branches.

The INFINET is a robust and secure network which would be used for effecting financial
funds movements and important information flow within the country. In view of the
sensitive nature of the transactions to be routed through the network and to make it totally
secure, the usage of the network would be restricted to a 'Closed User Group' consisting
of member banks and financial institutions only. The INFINET User Group is engaged in
various aspects pertaining to the Payment Systems in the country including the issues
related to security over the network, encryption and decryption of messages during
transmission, standardisation of message formats, exchange of encryption keys etc.

Recommendations of Committee on Technology Upgradation

The Reserve Bank continued to be involved in shaping the technology vision of the
banking system. Following the recommendations of the Committee on Financial Sector
Reforms, (which is popularly known as the second Narasimham committee), a
Committee on Technology Upgradation was set up by the RBI for the Banking Sector in
1994. This committee has representation from banks, Government, technical institutions
and the RBI. Among other things, this committee looked into issues relating to

i. Encryption of Public Switching Telephone Network (PSTN) lines

ii. Admission of electronic files as evidence
iii. Record keeping
iv. Modalities for a satellite based WAN for banks and financial institutions with the
necessary security systems by banks and other financial institutions, to ultimately
develop a sound and an efficient payments system
 v. Methods by which technological upgradation in banks and financial institutions
could be effected and in the context study the feasibility of establishment of
standards, designing payments system backbone and standards relating to security
levels, messages and smart cards.

The Committee realised the urgent need for training, research and development activities
in the Banking Technology area. Banks and Financial Institutions started setting up
Technology based training centres and colleges. However, a need was felt for an apex
level Institute which could be a Think-tank and Brain Trust for Banking Technology

The committee recommended a variety of payment applications which can be

implemented with appropriate technology upgradation and development of a reliable
communication network. The committee also suggested setting up of an Information
Technology Institute for the purpose of Research and Development as well as
Consultancy in the application of technology to the Banking and Financial sector of the
country. As recommended by the Committee, IDRBT was established by RBI in 1996 as
an autonomous centre for Development and Research in Banking Technology at
Hyderabad.

Brief Profile of IDRBT (Institute for Development & Research in Banking

Technology)

IDRBT is engaged in a number of Research Projects to improve Banking Technology in

India. The Institute is concentrating on four major areas of Research as follows:

i. Financial Network and Application Architecture

ii. Payments System and Security Technology
iii. Multimedia, Internet Technologies and Web Based Learning
iv. Data Mining, Data Warehousing and Risk Management

IDRBT is also collaborating with Academic Institutions and Research Organisations in

India and abroad for the purpose of promoting higher education, research and
development in Banking Technology in India. The Institute is actively involved in the
development of various standards and systems for Banking Technology, in coordination
with the Reserve Bank of India, Indian Banks' Association and the various high-level
committees constituted at the industry and national levels.

Apart from investing most of its time and resources in Research and Development, the
Institute also offers Consultancy in I.T. and related areas to Banks and other Financial
Institutions. Certification Management for E-Commerce and Electronic Payment
Systems, Real Time Gross Settlements, Data Warehousing and Data Mining for Banks,
Intrusion Detection Systems, Computer Based Training and Web Based Learning are
some of the primary projects on which IDRBT teams are now working and offer
consultancy to Banks and Financial Institutions.
The Institute has already established leadership in VSAT Networks and Corporate
Network Design.

SPECIAL SERVICES BY RBI

Mechanised Cheque Processing System using MICR Technology

The term "MICR" stands for Magnetic Ink Character Recognition, and is used to describe
the line of numbers and special characters that appear at the bottom of every check. Since
the 1940s, banks have speeded check processing with special devices that " read" the
MICR encoding and translate the characters into the account number and other pertinent
information.

The Magnetic Ink Character Recognition (MICR) technology based cheque processing
was first introduced in Mumbai and Chennai in 1987 by the Reserve Bank of India and
gradually extended to Delhi in 1988 followed by Kolkata in 1989.

Electronic Data Interchange (EDI)

The Ministry of Commerce, Government of India has identified 114 centers as major
export / import intensive centers in the country. The Ministry desired that, at all these
centers, the bank branches should be fully computerised, inter-connected and networked
and there should be inter-bank connectivity so that on-line banking facility could be made
available to the exporter-importer customers.

The Department of Commerce in the Ministry of Commerce & Industry, Government of

India, New Delhi is the nodal agency for overseeing implementation of Electronic
Commerce (EC)/ Electronic Data Interchange (EDI) in the various organisations in the
country.

Banks are one of the agencies entrusted with the responsibility for implementing EC/EDI.
The Indian Banks' Association is coordinating the implementation of the EC/EDI in the
various banks as per the directives of the Ministry of Commerce & Industry. Currently, 11
Public Sector Banks at 28 locations in the various airports / seaports are implementing the
Banks- Customs EDI Project.

Electronic Funds Transfer (EFT) System

As part of the initiatives aimed at quick movement of funds in a paperless mode, the
Reserve Bank of India had introduced the Electronic Funds Transfer System (EFT) in the
year 1996 for quick movement of funds between different banks for the bank customers.
Currently , the scheme is available for transfer of funds across 8,500 branches of banks at
15 centres where Reserve Bank of India manages the Clearing House (Ahmedabad,
Bangalore, Bhubaneshwar, Chandigarh, Chennai, Guwahati, Hyderabad, Jaipur, Kanpur,
Kolkata, Mumbai, Nagpur, New Delhi, Patna and Thiruvananthapuram)..The facility is
available for transfer of funds for individual transaction up to Rs.2 crore per transaction
with effect from 1st October, 2001.
THE Reserve Bank of India is considering a proposal to utilise State Bank of India's
clearing houses to increase the reach of electronic fund transfer (EFT) facility in the
country.

EFT is the safest and fastest way to transfer money from your account to another
individual in another city regardless of which bank she uses.

All the transferor needs is her account number. A maximum of Rs.0.1mn can be
transferred for a flat fee of Rs.25. The bank has discretionary powers to raise the limit for
select customers. Or a customer can break up the transactions in to multiples of upto
Rs0.1mn. The money sent is credited overnight and can be withdrawn by the receiver the
day after transfer.

Disclosing other advantages of the EFT, an official of the IBA's department of

information technology, says, "The facility can be availed of even if the branch from
where you are sending the amount is not fully computerized. The details of the transfer
have to be sent to the RBI which in turn notifies the receiving bank to credit the
individual with the mentioned amount."

Being the largest bank, SBI has the maximum number of clearing houses across the
country. A tie-up with SBI's clearing houses will enable RBI to expand the electronic
fund transfer facility, said sources. The RBI will provide the EFT software to SBI's
clearing houses.

The tie-up with SBI will enable the central bank to provide electronic fund transfer
facility to almost every district in the country, the source said.

The EFT package, a software package developed by RBI, can run on even a Windows
platform. It was developed in 1996 and is becoming increasingly popular with over 50
banks having implemented it.

EFT enables fund transfer from any branch of any bank, which is a member of the EFT
system to any branch of any bank within 24 hours. This includes both inter-city, intra-city
and also inter-bank and intra-bank.

EFT was first tested between Chennai and Mumbai. The year 1997 saw the EFT facility
expanded to all metros and in 2002 over to 15 centres in a phased manner.

EFT is primarily aimed at retail transactions with a maximum amount permitted at Rs 2

crore. The NCC collects a mere Rs.5 per transaction.

The RBI gives the software free of charge to banks for faster processing of transactions
and minimising paper based processing.

Legislation and Computer Crime

With computer crime detection being a difficult task, bringing the criminals to book
becomes a formidable challenge since the laws in many countries have not kept pace with
technology. Laws were originally designed to protect tangible assets and may not be
sufficient to guarantee the protection of electronic bits of data. It is often difficult to
attribute guilt using the existing statutes since the act of trespassing into a system and
tampering with virtual data may not necessarily be specifically provided for in law.
However, this point is being increasingly recognised as an area of concern and more and
more countries are therefore enacting specific and comprehensive legislation to cover the
acts of computer criminals.

Model acts passed by nations highly dependent on technology tend to provide for
enhanced penalties for unlawful access to "protected computers" such as those involved
in national security, banking and finance, emergency services and public utilities. Such
laws also provide for penalties for unlawful access to any system, unlawful modification
of computer programs even through viruses and even to lawful abuse or misuse of
computers.

The Reserve Bank has for its part, made several initiatives in this regard. The framing of
the model Electronic Funds Transfer (EFT) Act and rules, suggesting amendments to the
various acts such as the Bankers' Book Evidence Act, the Negotiable Instruments Act, the
Banking Regulation Act and the RBI Act - is in an advanced stage. The Reserve Bank is
also associated with the efforts of the Ministries of Finance, Commerce and Law in the
enactment of laws such as the Information Technology Act and the Cyber Laws.

Other Imperatives

The imperative to enhance the levels of computerisation in the banking industry has been
strengthened by the Government's IT vision which envisages a revolution in computer
penetration by the year 2010 and also by the directive recently issued by the Central
Vigilance Commissioner to banks to computerise 70 per cent of banking business by
January 2001. These initiatives are important since many of the deficiencies of today's
operations can be traced to the outdated manual systems in place. The CVC has also
desired that the listed companies should compulsorily offer the Electronic Clearing
Services to their customers for payment of dividend and interest warrants. This would
help avoid the risks in the existing payment modes and reduce to a great extent the
incidence of non-receipt of paper-based dividend and interest warrants despatched by
post and their fraudulent payment / encashment.

In future, there would be increasing focus on dematerialisation of shares and securities

which would result in two advantages: first, the prevention of frauds and second, the
facilitation of transactions of Government securities in an 'On-line Real Time Gross
Settlement' basis

Security Policy and RBI's Supervisory Initiatives

All organisations which are moving towards a high level of computerisation should have
in place a security policy that offers a shared vision of how controls in workplaces should
be implemented with the objective of protecting location, information and eventually, the
economic value of the organisation. This would need to be supplemented by education
and training in these areas and reinforced by the actions and concerns of the top
management so that a culture of security can be created. These controls have to be
strengthened by surveillance, regular monitoring and auditing to detect unusual usage
patterns and deficiencies.

These concerns have been addressed in a focussed manner at the Reserve Bank of India,
and the broad approach in this regard is, I venture to place before, worthy of attention. In
the first place, the most important point of emphasis is on prevention of crime. In order to
prevent computer frauds and crimes, specific computer procedures have been laid down
for each activity area involving computers. These procedures detail specific requirements
for

• formal controls governing physical access to computer areas in addition to

physical access to computer operation on the basis of the use of passwords, valid
user identification etc., and,
• technical controls for a number of operations including standardised and secure
message formats, correct authentication, personal identification numbers, digital
signatures, encryption and decryption of data, firewalls, and backup that would be
tamper proof.

The next imperative is to conduct computer security audit. This is an activity that is
gaining in importance of late and is perhaps one of the best tools available for combating
computer crime. Audit of computer security - especially by professional organisations - is
a vital requisite to ensure that complacency within the organisation does not result.

The broad approach outlined here cannot succeed if there is dearth of skilled personnel.
Work is, therefore, already on to groom a force of highly motivated and technically sound
group of people at banks who would look after all the requirements of computerisation
and also ensure that computer frauds do not occur. It is necessary that the work and
operations of the group of technologically expert persons is monitored regularly by
managements to ensure that crimes are not perpetuated from inside. This is a challenge
since over 2 lakh personnel had also received training in the handling and concepts of
computer systems in the PSBs.

It is also necessary to impart sufficient skills to our bank examiners to be able to examine
records effectively in computerised operating environment and also to be able to put
together a picture of the operations so that they could ensure that they have access to all
transactions being put through by banks. Accordingly, under a Technical Assistance
project sponsored by the UK Government, the services of international consultants were
utilised to impart skills to inspecting officers of the Reserve Bank. A detailed manual was
also drawn up for their use.
Simultaneously, as part of the aforesaid project, guidelines were issued to the banks on
the maintenance of minimum records in computerised environment so that any
subsequent investigation would not be hampered by lack of understanding or lack of
access to computer data. A circular on the Risks and Controls in Computers and
Telecommunications was issued by the Reserve Bank to banks to help them in identifying
the key risks arising out of continually growing use of computers and suggesting controls
to mitigate consequential risks

Our analysis of the modus operandi revealed that frauds so far committed has not
revealed any extensive manipulation of the computer systems in the banks. However,
cases have been reported where the fraud was facilitated by poor access controls. In a
recently reported case, the perpetrator was able to change the borrower's limits stored in
the computer by borrowing the password of the authorized personnel. This suggests that
the password cannot just be treated as a friendly word. This aspect in the Indian ethos,
needs to be closely looked into and the system of password determination has to be fool-
proof.

Risk Management Principles for Electronic Banking

Basel Committee Recommendations - Executive Summary

Continuing technological innovation and competition among existing banking

organisations and new entrants have allowed for a much wider array of banking products
and services to become accessible and delivered to retail and wholesale customers
through an electronic distribution channel collectively referred to as e-banking. However,
the rapid development of e-banking capabilities carries risks as well as benefits.

The Basel Committee on Banking Supervision expects such risks to be recognised,

addressed and managed by banking institutions in a prudent manner according to the
fundamental characteristics and challenges of e-banking services. These characteristics
include the unprecedented speed of change related to technological and customer service
innovation, the ubiquitous and global nature of open electronic networks, the integration
of e-banking applications with legacy computer systems and the increasing dependence
of banks on third parties that provide the necessary information technology. While not
creating inherently new risks, the Committee noted that these characteristics increased
and modified some of the traditional risks associated with banking activities, in particular
strategic, operational, legal and reputational risks, thereby influencing the overall risk
profile of banking.

Based on these conclusions, the Committee considers that while existing risk
management principles remain applicable to e-banking activities, such principles must be
tailored, adapted and, in some cases, expanded to address the specific risk management
challenges created by the characteristics of e-banking activities. To this end, the
Committee believes that it is incumbent upon the Boards of Directors and banks' senior
management to take steps to ensure that their institutions have reviewed and modified
where necessary their existing risk management policies and processes to cover their
current or planned e-banking activities. The Committee also believes that the integration
of e-banking applications with legacy systems implies an integrated risk management
approach for all banking activities of a banking institution.

To facilitate these developments, the Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their
existing risk oversight policies and processes to cover their e-banking activities.

These Risk Management Principles are not put forth as absolute requirements or even
"best practice." The Committee believes that setting detailed risk management
requirements in the area of e-banking might be counter-productive, if only because these
would be likely to become rapidly outdated because of the speed of change related to
technological and customer service innovation. The Committee has therefore preferred to
express supervisory expectations and guidance in the form of Risk Management
Principles in order to promote safety and soundness for e-banking activities, while
preserving the necessary flexibility in implementation that derives in part from the speed
of change in this area. Further, the Committee recognises that each bank's risk profile is
different and requires a tailored risk mitigation approach appropriate for the scale of the
e-banking operations, the materiality of the risks present, and the willingness and ability
of the institution to manage these risks. This implies that a "one size fits all" approach to
e-banking risk management issues may not be appropriate.

For a similar reason, the Risk Management Principles issued by the Committee do not
attempt to set specific technical solutions or standards relating to e-banking. Technical
solutions are to be addressed by institutions and standard setting bodies as technology
evolves. However, this Report contains appendices that list some examples current and
widespread risk mitigation practices in the e-banking area that are supportive of the Risk
Management Principles.

Consequently, the Risk Management Principles and sound practices identified in this
Report are expected to be used as tools by national supervisors and implemented with
adaptations to reflect specific national requirements and individual risk profiles where
necessary. In some areas, the Principles have been expressed by the Committee or by
national supervisors in previous bank supervisory guidance. However, some issues, such
as the management of outsourcing relationships, security controls and legal and
reputational risk management, warrant more detailed principles than those expressed to
date due to the unique characteristics and implications of the Internet distribution
channel.

The Risk Management Principles fall into three broad, and often overlapping, categories
of issues that are grouped to provide clarity

1. Board and Management Oversight;

2. Security Controls; and
3. Legal and Reputational Risk Management.

Board and Management Oversight

Because the Board of Directors and senior management are responsible for developing
the institution's business strategy and establishing an effective management oversight
over risks, they are expected to take an explicit, informed and documented strategic
decision as to whether and how the bank is to provide e-banking services. The initial
decision should include the specific accountabilities, policies and controls to address
risks, including those arising in a cross-border context. Effective management oversight
is expected to encompass the review and approval of the key aspects of the bank's
security control process, such as the development and maintenance of a security control
infrastructure that properly safeguards e-banking systems and data from both internal and
external threats. It also should include a comprehensive process for managing risks
associated with increased complexity of and increasing reliance on outsourcing
relationships and third-party dependencies to perform critical e-banking functions.

Security Controls

While the Board of Directors has the responsibility for ensuring that appropriate security
control processes are in place for e-banking, the substance of these processes needs
special management attention because of the enhanced security challenges posed by e-
banking. This should include establishing appropriate authorisation privileges and
authentication measures, logical and physical access controls, adequate infrastructure
security to maintain appropriate boundaries and restrictions on both internal and external
user activities and data integrity of transactions, records and information. In addition, the
existence of clear audit trails for all e-banking transactions should be ensured and
measures to preserve confidentiality of key e-banking information should be appropriate
with the sensitivity of such information.

Although customer protection and privacy regulations vary from jurisdiction to

jurisdiction, banks generally have a clear responsibility to provide their customers with a
level of comfort regarding information disclosures, protection of customer data and
business availability that approaches the level they can expect when using traditional
banking distribution channels. To minimise legal and reputational risk associated with e-
banking activities conducted both domestically and cross-border, banks should make
adequate disclosure of information on their web sites and take appropriate measures to
ensure adherence to customer privacy requirements applicable in the jurisdictions to
which the bank is providing e-banking services.

Legal and Reputational Risk Management

To protect banks against business, legal and reputation risk, e-banking services must be
delivered on a consistent and timely basis in accordance with high customer expectations
for constant and rapid availability and potentially high transaction demand. The bank
must have the ability to deliver e-banking services to all end-users and be able to
maintain such availability in all circumstances. Effective incident response mechanisms
are also critical to minimise operational, legal and reputational risks arising from
unexpected events, including internal and external attacks, that may affect the provision
of e-banking systems and services. To meet customers' expectations, banks should
therefore have effective capacity, business continuity and contingency planning. Banks
should also develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk and limit liability
associated with disruptions in their e-banking services.

Computerisation of Payment Systems - Project of RBI -

Action Plan for 2002 & 2003

[The establishment of modern, robust, efficient, secure, and integrated payment and

settlement system for the country - Policy objective of RBI ]

( Source: from RBI Publication)

Recognising the importance of payments and settlement systems in the economy of the
country, the Reserve Bank of India had embarked on technology based solutions for the
improvement of the payment and settlement system infrastructure, coupled with the
introduction of new payment products in the latter half of the twentieth century - such as
the Computerised settlement of clearing transactions, use of Magnetic Ink Character
Recognition Technology and Image for cheque clearing, operationalisation of BANKNET
- a leased line terrestrial network, the computerisation of Government Accounts and
accounting of Currency Chest transactions. The new payment products introduced over
the last few years included the two-way inter-city cheque collection at the four metros,
one-way inter-city cheque collection by clearing houses managed by the Reserve Bank of
India and a few clearing houses managed by the State Bank of India, Electronic Clearing
Service (Debit and Credit), Delivery versus Payment (DvP) for Government Securities
transactions and Electronic Funds Transfer.

At present, the Reserve Bank of India has adopted a holistic approach - in which
Information Technology is an integral component - encompassing the following:

i. design and development of a modern, robust, efficient, secure and integrated

payment and settlement system
ii. risks in payment and settlement systems;
iii. legal framework;
iv. impact of payment systems on monetary policy;
v. concerns relating to oversight of the payment systems, and,
vi. role and responsibility of different constituents of the payment and settlement
systems.

In the design and development of integrated modern payment and settlement systems, the
Reserve Bank of India as the Central Bank plays a pivotal role, associating at the same
time the banking and financial industry in this exercise. A three pronged approach has
been adopted to usher in and establish a modern, robust payment and settlements system
consistent with international best practices. The strategy revolves primarily around three
major themes: (i) Consolidation of the existing Payment Systems; (ii) Development of
Payment Systems and (iii) Integration of the Payments and Settlement Systems

The consolidation of the existing payment systems revolves around strengthening

Computerised Cheque clearing, expanding the reach of Electronic Clearing Service -
Debit and Credit and Electronic Funds Transfer - by providing for systems with the latest
levels of technology.

The elements in the developmental strategy are the opening of new clearing houses - to
be managed by banks - where 5 banks / branches of the banks exist; interconnection of
clearing houses through the INFINET; optimising the deployment of resources by banks
through the following facilities:

i. Real Time Gross Settlement System;

ii. Centralised Funds Management System (CFMS);
iii. Negotiated Dealing System (NDS) and Securities Services System (for the
settlement of Government Securities in a Delivery versus Payment mode); and
iv. the Structured Financial Messaging Solution (SFMS)

Integration of the various payment products with the systems of individual banks using
the facilities offered by computerisation and networking is the thrust area under
integration. Integration requires a high degree of standardisation within a bank and
seamless interfaces across banks. This would have to be done by standardisation of
systems whenever the new systems are acquired and old systems are replaced.
Development of corporate intranets by banks, and interconnecting the local branches and
connecting the computerised branches with the main branches in a city, with the
controlling offices, central treasury departments and head offices, making extensive use
of INFINET for intra-bank inter city connectivity is another focus area. The pictures
depicted below give a graphic representation of the INFINET and the connectivity of
banks.

Payment Systems - Agenda for Implementation

The Payment Systems Agenda for implementation during the next over two years ending
March 2003 can be summed as under:

a. Approach to computerisation and networking including the following

components:
o Standardisation in the form of standard interfaces with projects of national
importance
o Development of a secured and robust communication backbone consisting
of intranets of the participants, the INFINET and gateways for
communication
o Interface between networks of participants and the INFINET Design,
development and implementation of critical payment system projects
b. Upgradation of the process environment and Human Resource Development.
Initiatives under each of these areas are detailed in the following paragraphs.

Programme for Computerisation and Networking

i. Development of the secure dedicated communication backbone -INFINET - for

the banking and financial sector. This would include providing the network for
participation by all categories of banks and financial institutions which would
benefit out of the usage of this Closed User Group network - such as for the
organisations dealing in Government Securities or those which maintain accounts
or perform business with the Reserve Bank of India. Keeping in tune with the
advances in technology, the network would be expanded to be a combination of
satellite and terrestrial modes of communication and action initiated for inter-
connectivity of this network to the network of banks (with adequate security
controls in place) to facilitate 'Straight Through Processing'.
ii. Utilisation of the network by the banking industry through the development of
intra-nets; intra-city connectivity to VSATs and development of bank level
gateways. The objective of the INFINET would be to provide inter-city and inter-
bank connectivity while banks' own corporate networks could provide inter-
branch and intra-city connectivity.
iii. Implementation of the Generic Architecture Model for inter-connectivity of
branches within banks - following the 'tree' (for older banks with a tiered
management control structure) or the 'star' topology (for the newer banks with a
flat management control / reporting structure).
iv. Integration of the message transfer facilities within the country with that of
Society for Worldwide Interbank Financial Telecommunication (S.W.I.F.T.) for
'Straight Through Processing' by inter-connectivity between S.W.I.F.T. and
INFINET.
v. Internet banking - as a delivery channel for banking services. Using the benefits
of the cost-effective medium of Internet, many services or products of banks
could be provided in a secure environment where the authenticity of the
constituent and the integrity of the message are ensured.
vi. Standardisation of technology for all these projects - from hardware, operating
systems, system software, application software and messaging middleware. While
these would be applicable for all common inter-bank applications, the software
applications at banks could provide for these requirements on the basis of the
standards.
vii. Providing for a Common Minimum Requirement Level (CMRL) in terms of
hardware and networking requirements at the participants of the payment and
settlement systems.
viii. Connecting INFINET and Internet in a secured manner so that some of the
services could be extended to the public through Internet as the delivery channel.
This could also be for settlement of e-commerce transactions - for the funds leg to
be settled using the INFINET with one bank functioning as the settlement bank.
Constituents of banks could communicate to the banks through the Internet or
through the medium of other private networks; the interface with the INFINET
 would be based on achievement of minimum safety and security requirements in
all such cases.

Design, development and implementation of critical

payment system projects

1. Usage of the above infrastructure for inter-bank applications on the Network -

types of products (file transfers, e-mail, Deferred Net Settlements, Real Time
Gross Settlement Systems, Centralised Funds Management System, Securities
Settlement System and Structured Financial Messaging Solution and applications
of individual member banks such as Inter-branch Reconciliation, Automated
Teller Machine networks, credit information etc); interface with e-commerce and
internet at a later date; and by the Reserve Bank of India.
2. Increasing the scope and coverage of Electronic Clearing Services - Credit and
Debit Clearing to cover repetitive large volume, low value credits such as for
payment of dividends, interest, salaries, incentives, trade payments, and other
hitherto cheque based payments and utility payments such as for water, power,
gas, telecommunication services, credit card payments etc. and the provision of
centralised data submission facility with decentralised processing / data
distribution.
3. Increasing the scope and coverage of the Electronic Funds Transfer (EFT) facility
- both in terms of speed of conclusion of the transfer to ultimately achieve a
'same-day' movement across banks at different locations and for all categories of
customers including corporates by providing for large value transactions. Thus a
blend of frequent EFT transmissions and funds settlements could be effected to
take care of the varying needs of different segments and the pricing structure for
these could also vary accordingly.
4. Integration of the EFT scheme of the Reserve Bank of India with the schemes
available at different banks with the ultimate objective being that of establishment
of a national EFT scheme covering all banks
5. Electronic Data Interchange for providing for processing of electronic documents
for the trade and for exports and imports and for facilitating 'Just-in-time'
processing. This could be by the adoption of internationally accepted models with
standardised message formats and interchange guidelines.
6. Use of products with newer technologies - such as Smart cards and other cards
with integrated memory capabilities - all based on uniform standards providing
for inter-operability and capability to be used for multi-purpose applications with
a central settlement facility.
7. Inter-connectivity of the Automated Teller Machines or of the Automated Teller
Machine networks already established and integration with the systems to be set
up in the near future. This would provide for common usage of any time by any
Automated Teller Machine card holder with a centralised settlement facility.
8. Variants of electronic money (e-money or e-cash) based on the levels of usage of
such products - all in a safe and secure electronic environment.
9. Centralised Public Debt management and increased dealings in Government
securities. This would be achieved by the Centralised Public Debt Office system
 comprising of the Negotiated Dealing System and the Securities Settlement
System and providing access to participants such as the Primary and satellite
dealers for the securities leg and integration of this system with the Real Time
Gross Settlement System. Linkage to the money market dealing systems for
exploiting the economies of scale would also be provided for. To take care of
netting of the securities transactions, the Clearing Corporation of India Ltd would
function as the Clearing House for securities netting and arriving at the net funds
settlement legs.
10. Implementation of the Real Time Gross Settlement System to provide for funds
settlement across bank accounts in central bank money - on a real time basis.
Intra-day liquidity facilities would be provided by the Reserve Bank on
collateralised repo basis or as may be decided from time to time - all keeping in
view overall economic impact of these provisions.
11. Accounting of Deferred Net Settlements as Real Time Gross Settlement
transactions to provide for real time posting of the settlements
12. Linkage of the Deposit Accounts Departments of the Reserve Bank of India -
through the Centralised Funds Management System so as to provide for the
current account holders an online facility to view the balances in the accounts
maintained with the Reserve Bank - using the messaging facility of the INFINET
13. Provision for funds movement across locations of the Reserve Bank in an online
manner using the Centralised Funds Management System with adequate security
control in place
14. Linkage of the clearing houses managed by the Reserve Bank of India in the first
phase and the other clearing houses in the second phase - to provide for a national
clearing settlement for Deferred Net Settlements.
15. Opening of new clearing houses at unrepresented cities in the country. The base
line criterion would be centres with five banks / branches
16. Expanding the coverage of Intercity cheque clearing to reduce the time-lags in the
cheque collection process. This would be by implementation of two-way inter-city
clearing between all the Mechanised Ink Character Recognition based centres
(whether the Cheque processing Centre is managed by the Reserve Bank of India
or not) in the first phase to be followed by the introduction of one-way clearing
between the non-Magnetic Ink Character Recognition centres and the nearest
Magnetic Ink Character Recognition centres.
17. Implementation of a foreign exchange clearing for all foreign currency
denominated transactions so as to ensure only the transmission of net funds
transfer messages to foreign correspondent banks - by the establishment of the
Clearing Corporation of India Ltd.
18. Expansion of Magnetic Ink Character Recognition based clearing to more centres
- using systems which would be optimal for these centres. The Cheque Processing
Centres at such centres would be manned by Commercial banks.
19. Introduction of Image based cheque processing which could be a fore-runner for
cheque truncation.
20. Introduction of cheque truncation at the appropriate stage - where the cheque does
not travel from the presenting bank to the drawee bank - but only the image of the
cheque travels - in an electronic environment.
 21. Introduction of high value clearing at more centres to facilitate quicker realisation
of high value paper based instruments
22. Providing for centralised credit information systems - such as credit bureau to
gauge the financial heath of borrowers of banks
23. Setting up of a central repository of data - the data warehouse which would have
data relating to payment and settlement systems also, which could be extracted
using appropriate data mining techniques. While the Reserve Bank would be
establishing a data warehouse for economic and other similar data, such initiatives
could be also be embarked upon by banks and the Indian Banks' Association.
24. Setting up corporate bank Websites to disseminate information to customers and
enabling them to perform transactions will emerge in due course within the
industry

Upgradation of the process environment

1. Issues related to Business Process re-engineering within the banking industry and
the Reserve Bank of India including Facility Management, Security related issues
and the development and training of Human Resources to successfully man the
facilities created.
2. Compliance with the Core Principles for Systemically Important Payment
Systems as elucidated by the Bank for International Settlements, Basle.
3. Amendments to relevant laws - such as the Negotiable Instruments Act to take
care of non-paper based debits and other such requirements.
4. Formulation of suitable Payment System Legislation and a body (within the
Reserve Bank of India) to oversee the functioning of the payment and settlement
system of the country.
5. While it is possible to achieve the initiatives listed within the framework of the
current legal precincts, suitable other laws such as the Payment System Netting
Act, the Payment Systems Regulation Act, the Electronic Funds Transfer Act, the
Electronic Funds Transfer Regulations and other enactment to provide for
regulation and oversight over payment and settlement systems would be made.
6. Providing for Critical Minimum Security Requirements (CMSR) at the end of the
central processor and at the participants.
7. Providing for digital signatures and certification in respect of network based
messages, with the Institute for Development and Research in Banking
Technology being the certification authority for the banking / financial sector -
Public Key Infrastructure to provide security features of authentication, integrity,
confidentiality and non-repudiation.
8. Identification of areas of risk and putting in place adequate risk reduction
strategies based on risk profile assessment of the participants of the payment and
settlement systems.

Computerisation of Payment Systems - Projects of RBI -

Progrss/Achievement as at March 2003
Payment and Settlement Systems - Progress/Achievements so far
[Source: Inaugural address by Shri Vepa Kamesam, Deputy Governor, Reserve Bank of
India
at the Seminar on Payment and Settlement Systems organised by Fixed Income Money
Market
and Derivatives Association of India (FIMMDA) at Mumbai on May 6, 2003.]

The Payment and Settlement System is an essential part of the financial system of a
vibrant economy. Consolidation, Development and Integration of the financial
infrastructure and reforms in the payment and settlement systems of the country that
address the twin issues of safety and efficiency have been engaging the attention of the
Central Bankers and Financial Institutions the world over. Payment and Settlement
Systems are no longer the backwaters of either the banks or the Central Banks.

The Reserve Bank has taken up the mission critical approach to the establishment of an
integrated payment and settlement system in the country. A number of initiatives have
either already been implemented or are in an advanced stage on the drawing board.
Identification and classification of the Systemically Important Payment System (SIPS)
have been done and various measures have been initiated to facilitate real time or near
real time large value inter-bank funds transfer in secured environment.

Recent Initiatives

1. The PDO/NDS/SSS project, comprising inter alia the Negotiated Dealing System
(NDS) is an initiative, which provides for an electronic platform for facilitating
trading in Government Securities and Money Market Instruments. The System
has been operational for over a year now and the manner in which you have used
the System is laudable. We have been actively fine-tuning the PDO-NDS system,
based on your feedback and we will continue to do so in the interest of the
banking community. The Securities Settlement System (SSS) will, in the near
future, provide on-line depository services for the Government Securities
2. The Clearing Corporation of India Ltd., (CCIL) established at the behest of the
Reserve Bank, has established itself as a Central Counterparty and is presently
extending guaranteed settlement for trades done in the Government Securities
Market and the Forex market. The number of products launched by CCIL in its
short duration of existence speaks volumes of both the CCIL and the financial
sector. The forex trading platform, offered by CCIL, for taking care of the
settlement of inter-bank rupee-US dollar deals, provides for a deep, liquid and
transparent forex trading facility. This will help in improving market efficiency
and integrity.
3. Special EFT has been introduced to facilitate funds settlement on T+0 basis thrice
a day. This facility is available from 2500 bank branches located in 500 centres.
4. The Centralised Funds Management System is one such initiative, which provides
for a Centralised Funds Enquiry System to the treasury branches of the banks in
the first phase and the Centralised Funds Transfer System in the second phase,
allowing the banks to do an optimal deployment of funds. I am sure that most of
you have already been actively using the funds enquiry module of CFMS as a
 platform for a having a bird's eye view of your account balances at various the
Reserve Bank locations. Very shortly, you will be in a position to use this platform
to do a near real time transfer of funds between your accounts in pursuance of
your day-today funds management exercise

Real Time Gross Settlement System (RTGS)

The Real Time Gross Settlement System is the key critical element and provides the
missing link in the process of the setting up of the Integrated Payment and Settlement
System in the country. The Real Time Gross Settlement System has now, the world over,
been the preferred mode of the settlement of large value inter-bank payments, with more
and more countries moving towards it. In the SAARC region, we are now being joined by
Sri Lanka, which has also decided to move over to RTGS.

RTGS, as a settlement process, minimises settlement risks by settling individual

payments in real time in the books of account, held at the Central Bank. Under RTGS, the
practically instant settlement ensures fast, secure, final and irrevocable settlement of
payment transactions.

The Real Time Gross Settlement System on implementation will be a defining moment in
the history of the Payment and Settlement Systems in the country. It will be, in fact, a
significant step towards the creation of an integrated, robust, safe, secure and modern
Payment and Settlement System and I am sure all of you are looking forward to be part of
the revolution.

It is relevent hereto mention the roadmap for the implementation of the RTGS System. In
June, 2003, we will have a demonstrable RTGS package for testing and familiarisation. It
will be like an induction platform for the banks to the RTGS Standalone System, which
will be delivered in October, 2003. After completion of testing and acceptance, RTGS
System will become operational before year-end.

RBI has been building up awareness about the RTGS System. Already a series of
Workshops and Seminars have been organised for your Treasury and IT Heads. We have
also organised a 'Seminar on Liquidity Management in RTGS Environment' to apprise
you of the challenges that you may face on the operationalisation of the RTGS System
and the manner in which you have to control and co-ordinate your liquidity management
measures to derive optimal benefits from the RTGS System.

It cannot be disputed that the technological innovations, in general, have been at the core
of the reform process in the services sector globally and the financial sector, in particular.
For the last so many decades, it has been driving the business re-engineering process in
our banking industry. It is appropriate to mention here that Reserve Bank, have been
actively studying these developments and readying itself to provide for a technology
framework and operating environment, conducive to the banks. Some of the initiatives
that we have been already undertaken are given below:
INFINET - a 'Closed User Group' Network of Banking & Financial Sector

As a reliable communication backbone to facilitate improvement in financial services, the

Reserve Bank of India has, through IDRBT, set up the INFINET - a 'Closed User Group'
network as the exclusive domain for the applications of the entities in the banking and
financial sector. As you all know, the INFINET is a blend of VSAT technology and
terrestrial leased line technology based Wide Area Network. INFINET provides for the
robust and reliable communication backbone for the implementation of all the
Systemically Important Payment System applications.

Structured Financial Messaging System (SFMS)

The Reserve Bank's concerns and focused attention on the twin issues of security over the
INFINET and message standards for intra/inter-bank applications have led to the
development and implementation of the Structured Financial Messaging System (SFMS),
a standard messaging protocol, which would be riding on the INFINET communication
backbone. SFMS has adequate in-built security and with Public Key Infrastructure (PKI),
provides for a security solution of international standards. SFMS will also act as an
alternative for accelerating the integration of the branches of the banks.

Secondly, a state-of-the-art, robust and secure platform - IBM S-390 System with a
complete standby installation - has been made operational in Mumbai centre to ensure the
availability of the requisite technical infrastructure, capable of robustness, operational
resilience and redundancies to ensure business continuity. The Disaster Recovery Site is
being set up at a geographically distanced location from Mumbai.

You will all agree that these efforts are incomplete without the total involvement and
participation of the end-users of the payment and settlement system. The proverbial "last
mile" problems will have to be resolved. In order that the benefits, as conceived of under
the Integrated Payment Systems Architecture in the country, cascade down to the smallest
branch of every bank and to every customer, you will have to be in an extremely high
level of preparedness in terms of systems and operational processes, technology and
human resources, to make the most of these and the newer opportunities, arising due to
the fast changing canvas.

Technology in Banking

In the area of Information Technology, specific attention will have to be paid to the Ten
Core Issues. These are fundamental to the participation and realisation of optimal
advantages from the RTGS System round the corner.

a. A Payment System Gateway as the Single Point of Interface with the INFINET
for participation in the Systemically Important Payment System applications;
b. Connectivity between the Payment System Gateway and the Primary Site and
Standby Site of the Reserve Bank;
c. Computerisation of bank branches with connectivity;
 d. Setting up of intra-bank intra-city leased line network;
e. Connectivity with the Hub at each the Reserve Bank site under the 21-centre
Intercity Leased Line Network of the INFINET;
f. Synchronous Systems across the bank - Hardware, Operating System and
Communication Platform; VIDRBT, CA, CPS, Implementation of PKI and
Creation of Registration Authority;
g. Uniformity in Message Format for Inter/Intra bank applications across the
banking sector and implementation of SFMS;
h. Internal Applications of the bank and Interface with the RTGS System and
i. Development, documentation and implementation of the Information Systems
Security Policy in the bank.

I am aware that quite a few of the above requirements have already been met by the
majority of the banks present here. I urge upon those, who have not yet met them or
partially met them to do the same urgently. Most important and critical among these are
the Connectivity and Security Issues. Unless all your branches are networked, the
benefits of a secured and modern Payment System will not percolate to the end-users of
the banking system i.e. the ordinary public. Further, unless the security features of the
entire Transaction Cycle are enhanced to the level of international standards (which is
being sought to be achieved through the implementation of the PKI and use of Digital
Certificates), the common man will not repose his full confidence in the Electronic
System of Funds Transfer. That is why, the Reserve Bank has been emphasising
'Connectivity' and 'Security' as the Core and Critical Pre-requisites, to be duly addressed
by the banking sector for participation in the RTGS System.

The RTGS System will be a mode for large value inter-bank settlement, to be widely
used, for enhancing your risk control measures, for faster and efficient settlement of your
liabilities and for better customer services for the ultimate users in the value chain. The
success of this system will be one more step towards realising our objectives of a modern,
secure, resilient and Integrated Payment and Settlement System in the country. We are
sure that all of us will be partners in this step forward.

INFINET AND ITS IMPACT ON BANKING

The Need for Network(Wide Area Intranet) Connecting

different Banks' Branches in India

It had been widely felt earlier that one of the biggest bottlenecks in the banking system in
the country was the lack of a system that ensures fast, safe and secure intra-bank and
inter-bank communication. In fact, this deficiency had been hampering to a large extent
the development of a modern, integrated payment system in the Nineties. Most of the
cases of complaint against banks, in those days related to the time taken for transfer of
funds across banks and between cities and to the delays in the collection of outstation
cheques. Clearly, the non-availability of a reliable communication backbone had been
one of the main contributors to this state of affairs. The functioning of the terrestrial line
networks was hardly optimal in terms of efficiency, although of late, there has been some
change in this area for the better. But, the wide geographical spread of branches of banks
and the differing terrain of the country necessitated the setting up of a reliable
communication backbone as an imperative factor.

The best solution in the given circumstances therefore, was to centre on the establishment
of satellite based network using VSAT technology. The decision to go in for VSAT
technology was a deliberate choice. For, without it, it would have been difficult to initiate
the network, the Indian Financial Network or INFINET as we have now called it. Clearly,
it gets the distinction of being a forerunner of an efficient telecommunications backbone
for the Banking and financial sector.

About VSAT Technology

VSAT is an acronym for Very Small Aperture Terminal, but more simply put it describes
a small satellite terminal that can be used for one-way and/or interactive communications
via satellite. VSATs are a well-established telecoms solution, with more than 500,000
terminals installed in more than 120 countries. But miniaturization of components and
increased economies of scale are lower costs still further, enabling service providers to
offer an increasing range of VSAT-based solutions, including rural telecoms, distance
learning, telemedicine, disaster recovery, offshore networks, as well as a host of corporate
and government applications.

INdian FInancial NETwork(INFINET)

FInancial NETwork is the communication backbone for the Indian Banking and Financial
Sector. All Banks, Public Sector, Private Sector, Cooperative, etc., and the premier
Financial Institutions in the country are eligible to become members of the INFINET. The
INFINET is a Closed User Group (CUG) Network for the exclusive use of Member
Banks and Financial Institutions. It uses a blend of communication technologies such as
VSATs and Terrestrial Leased Lines. Presently, the network consists of over 950 VSATs
located in 127 cities of the country and utilises one full transponder on INSAT 3B.

The INFINET is primarily a TCP/IP based network. A detailed IP addressing scheme has
been devised by IDRBT for all CUG members, which has to be strictly followed by all
CUG members, while interacting via the communication backbone.

INFINET, an acronym for the Indian Financial Network, uses a blend of communication
technologies such as VSATs and Terrestrial Leased Lines. The HUB of the VSAT
network is situated at IDRBT, and consists of an 11-metre antenna and other satellite
earth station equipments. Presently, the network consists of over 950 VSATs located in
more than 180 cities of the country and utilises one full transponder on INSAT 3B.

Inaugurated on June 19, 1999, various inter-bank and intra-bank applications ranging
from simple messaging, MIS, EFT (Retail), Electronic Clearing Service (ECS) for both
Credits and Debits, online dealing and trading in Government securities, Centralized
Funds Management System(CFMS) for Banks and FIs, Anywhere/Anytime Banking,
Inter-Branch Reconciliation, Structured Financial Messaging System (SFMS) and Real
Time Gross Settlement (RTGS) System are being implemented using the INFINET as the
backbone

The network consists of a central earth station (HUB) which is located at IDRBT,
Hyderabad. The HUB consists of an 11 metre antenna, RF, BaseBand and IF equipment.
The network started with one eighth of transponder (No. 13) in INSAT 2B in June 1999.
Later, in July 2000, a full transponder (No. 8) was allotted on INSAT 3B. The network
works on TDM/TDMA technology

The central earth station is housed in a VSAT Control Centre (VCC) located in the
ground floor of the Executive Facilities Centre of the Institute. DAMA overlay will also
be soon provided to facilitate high speed data communications, voice and video. Two
Diesel Generator sets of 250 KVA each, in hot stand-by mode, have been installed to
supply round the clock power to the Earth Station. Two UPSs of 60 KVA each in hot
stand-by mode have been installed for providing uninterrupted power to the Earth Station
round the clock. Sixty tonnes of package AC units have been installed to provide ambient
temperature for the Earth Station equipment. The Earth station is manned by trained
personnel to ensure smooth functioning of the network round the clock

The VSAT network was just the first step in the setting up of a highly efficient
communication backbone for the Indian Financial Sector. The Institute explored ways
and means to expand the network using more VSATs as well as through high speed
terrestrial links. In order to have a judicious mixture of technologies in the INFINET, a
Leased Line Network (LLN), connecting 21 major cities has been seamlessly integrated
with it. The LLN is a mix of 2 Mbps and 64 Kbps lines. The LLN provides gateways to
banks from each of these 21 cities. The Network Management System (NMS) of the LLN
is located at the INFINET Hub at Hyderabad. The Backup NMS is located in the Main
Office of RBI in Mumbai

The VSAT network and the terrestrial Leased Line network of the INFINET will co-exist
by drawing from the strengths of each other. Now, the users have the facility of a
dynamic option to choose between these two networks depending upon the need,
urgency, suitability, volume of traffic, availability and accessibility.

The INFINET proposes to include the much-sought-after Ku Band VSAT Network to the
powerful and reliable options and capabilities it already provides. Evaluation of options
and vendors, for installing and integrating the Ku Band Network is on. The INFINET will
be the communication backbone for the National Payments System, which will cater
mainly to inter-bank applications like RTGS, Delivery Vs Payment (DVP), Government
Transactions, Automatic Clearing House (ACH) etc.

Electronic Clearing Service(ECS)

There can be no better measure of success of the INFINET than the facility for quick
funds transfer. The Reserve Bank of India has, over the last few years, developed many
new products for the benefit of banks which are all aimed at ultimately improving
customer service and systemic efficiency. One of this - the Electronic Clearing Service
(ECS) - is aimed at effecting electronically, repetitive credits or debits for a large
population of customers spread across a large number of branches of many banks.

Electronic Funds Transfer (EFT) Scheme of RBI

Another product that was Introduced is the Electronic Funds Transfer (EFT) Scheme of
the Reserve Bank of India. This facility, originally was in operation between the four
major metropolitan cities. Currently, RBI has 15 national clearing cells (NCC) between
which electronic fund transfer is enabled. According to RBI sources, under the present set
up, the apex bank can have a maximum of 15 clearing houses, along with its 15 regional
offices.

However RBI is considering a proposal to utilise State Bank of India's clearing houses to
increase the reach of electronic fund transfer (EFT) facility in the country. Being the
largest bank, SBI has the maximum number of clearing houses across the country. A tie-
up with SBI's clearing houses will enable RBI to expand the electronic fund transfer
facility and provide electronic fund transfer facility to almost every district in the country.
The RBI will provide the EFT software to SBI's clearing houses.

No payment systems could boast of excellence unless funds transfers take place in a on-
line basis. In India, we have the banks maintaining current accounts at the various
locations of the Reserve Bank of India. Managing funds flows at these current accounts
and providing for transfers from one location to another is yet another activity that could
be put over the INFINET. Reserve bank has introduced Centralised Funds Management
System (CFMS) comprising the Centralised Funds Enquiry System (CFES) and the
Centralised Funds Management System (CFMS) by the RBI. This paves the way for
banks to manage their funds with the RBI in a much more efficient manner and also
provide the Treasury / Funds departments of banks with latest information on their
balances with the various Deposit Account Department offices of the RBI.

A natural extension of the above would be the establishment of a Real Time Gross
Settlement System for the country. RBI has done considerable amount of concrete work
for the setting up of a RTGS system for the country.

Reserve Bank of India has launched a project to construct a real-time gross settlement
system (RTGS), which will allow secure inter-bank payments throughout the country.
The system is planned to eventually interface to all RBI sites, as well as other member
banks across the country.

This project will provide significant benefits to individuals and businesses throughout
India. By underwriting all payments with collateral held at the Reserve Bank of India, the
RTGS system will reduce systemic risk in the Indian banking system, thereby providing
increased integrity and security for all interbank transactions.

Yet another area of interest is the Management Information Systems (MIS). Using
Information Technology for MIS is ideal and helpful in decision making. Also INFINET
helps to provide facilities for banks for transmitting information on currency chests which
would ensure flow of notes and coins as required, INFINET would also provide
communication tools for carrying MIS-based data of banks and financial institutions -
both for their own internal usage such as periodical statements, data etc., as also for
sharing across members critical data such as credit information of customers at the
national level, intercity linking of ATMs, facilities for transmission of data for data
warehousing purposes, data mining etc. The dissemination of information from the
Central Bank to the other members - in the form of circulars, guidelines and the like
could also be through the INFINET.

Structured Financial Messaging Solution (SFMS) - Safety System

for E-Transfer of Funds

In November 2001 RBI has introduced the Structured Financial Messaging Solution
(SFMS), an application which would be riding on the backbone of the Indian Financial
Network (INFINET) intended as a measure, to ensure greater security in the process of
electronic funds transfers. The SFMS provides security in the various electronic funds
transfers services introduced by RBI such as he Credit Clearing and Debit Clearing and
the retail Electronic Funds Transfer (EFT) system and prevents unauthorised usage

Objective & Benefits

• The usage of the SFMS over the INFINET would automatically bring the benefits
of safe, secure and efficient funds transfers
• There would also be the added benefit of settlement of inter-bank transfers taking
place in the books of accounts of banks maintained with the RBI thereby
providing for finality of settlement. SFMS would have adequate security
measures incorporated, including that of PKI-Public Key Infrastructure, with
encryption software comparable to some of the best implementations in the world.

How SFMS was Developed

Institute for Development and Research in Banking Technology (IDRBT) and Tata
Consultancy Services (TCS) entered into an agreement on 15th February 2001 for
deploying a Messaging Solution for the Indian Banking and Financial Sector. The
solution aimed at providing Secured Multi-tiered Financial Messaging will enable Banks
to send financial and non-financial messages across the Indian Financial Network
(INFINET) in a secure environment.

The Structured Financial Messaging Solution (SFMS) is based on TCS's messaging

gateway product COMS-eNABLER®. It is being customized and deployed in a multi-
tiered architecture consisting of a central HUB, Bank Gateways and the Branch Front-
ends. The solution allows the definition of message structures, message formats, and
authorization of the same for usage by the financial community. Specifically, the banks
and financial institutions will use the designated messages for a wide range of
applications such as simple messaging, EFT (Retail, RTGS), ECS, Electronic Debit,
online trading in Government securities, centralised funds query for Banks and FIs,
Anywhere/Anytime Banking, Inter-Branch Reconciliation etc. through INFINET.

How it Operates

To use this messaging solution, banks must have their terminals in their branches
connected through LAN, WAN or even PSTN lines to the server located at a central place
in a city. The terminal can be accessed only by means of a Smart Card and a personal
identification number (PIN). The messages will have to be digitally signed under a public
key infrastructure (PKI).

Based on this platform, messages are processed in a safe and secure environment and
banks and financial institutions will be able to ensure a secure electronic message
delivery. An advantage built into the system is that it facilitates banks to launch
innovative products across centres and cities, say the software developers. Another
advantage is that it provides a safe and secure interbank communication. Individual banks
only need to integrate their systems with the SFMS to leverage the facility. Applications
such as simple messaging, electronic clearing system, electronic debt, online trading in
Government securities, centralised fund queries for banks and financial institutions,
anywhere anytime banking, inter-branch reconciliation etc, through INFINET are
possible to be communicated through SFMS

The integration of existing bank applications would require interaction among the
concerned bank, the IDRBT, and TCS and the bank's application provider. Application
programme interfaces are provided for this purpose.

The Front-ends in the branches are connected to the Gateway(s), and in turn the
Gateways are connected to a Central Hub. The solution is integrated with a Smart Card-
based PKI infrastructure ensuring total privacy, integrity, security, encryption and
decryption mechanisms with full acknowledgement and non-repudiation techniques.
These will conform to ISO and ANSI standards, as recommended by the Dr. Vasudevan
Committee Report on Technology Upgradation in the Banking Sector.

SFMS facilitates online message creation, which, after authorisation, is communicated

across without further human intervention as in straight through processing (STP). The
financial messaging system ensures that the Indian banking and financial services sectors
are on a par with the rest of the world

Under the system, any financial transaction communicated between the two branches of
two different banks, which normally took between one and three weeks despite
computerisation, would now be completed within a few minutes. Being a Web enabled
modular software, the solution facilitates either centralised or distributed messaging and
works in a secure environment.

The security system is built on a Smart Card-based user access and the messages are
secured via standard encryption and authentication services conforming to ISO and
SWIFT standards. The system has provision for complete auditing, logging, time
stamping and warehousing of messages.

TCS, which has engineered the software in close association with the IDRBT team, has
built the messaging system on a similar solution developed for the Global Straight
Through Processing Association (GSTPA). The messaging system is designed based on a
multi tiered solution covering the Indian Financial Network (INFINET) hub, bank
gateways and bank sites.

All banks public sector, private, foreign and cooperative and financial institutions can
benefit through the system by being members of the IDRBT. The solution has been
initially deployed, covering Punjab National Bank, Bank of Maharashtra and Canara
Bank on a pilot initiative. A large number of banking and financial institutions have now
leverage the facility.

With regard to inter-bank applications, the Reserve Bank of India (RBI) has already taken
the initiative in implementing applications such as RTGS (Real-Time Gloss Settlement
System), DVP (Delivery Versus Payments) and the CFMC (Centralised Funds
Management System) which can benefit by using the SFMS system. The advantage with
the solution is banks can link their high volume branches, irrespective of their categories,
through connectivity such as PSTN or ISDN or leased lines to Infinet.

Special Electronic Funds Transfer - Electronic Transfer of Inter-Bank Funds

The SEFT Scheme has been introduced by the Reserve Bank of India, in conjunction with
banks from April 1, 2003, to provide a safe, secure and same-day electronic transfer of
funds across the country.

The Special Electronic Fund Transfer (SEFT) Scheme will have settlement taking place
at Mumbai for inter-bank funds transfers. The scheme has been made available in over
2,500 bank branches in 500 cities. SEFT facilitates timely settlement of pay-in and pay-
out under the proposed T+2 based rolling settlement in securities at stock exchanges.

Objects of the Scheme

The objects of the RBI SEFT System are :

1. to establish an Electronic Funds Transfer System to facilitate an efficient, secure,

economical, reliable and expeditious system of funds transfer and clearing in the
banking sector throughout India, and
 2. to relieve the stress on the existing paper based funds transfer and clearing
system.

Coverage

Initially, the System would cover branches of banks as indicated by Reserve Bank of
India. To facilitate quick transfer of SEFT messages, it is essential that only networked
branches of banks are part of the systems. Banks' own networks could be used for inter-
branch communication.

The salient features of the Scheme are:

• The Scheme is designed to provide for same day inter-bank transfer of funds
between accounts maintained in any of the participating branches under the
Scheme.
• The Scheme covers branches of banks that are networked so that SEFT messages
could be transmitted electronically and quickly.
• Inter-bank settlement under the SEFT Scheme will be done at Mumbai with the
processing being done at the National Clearing Cell, Reserve Bank of India,
Nariman Point, Mumbai.
• There will be three SEFT settlement cycles on weekdays (at 12:00 noon, 2:00
p.m. and 4:00 p.m.) and two settlements on Saturday (at 12:00 noon and 2:00
p.m.).
• Credit in respect of inward SEFT requests would be given to the beneficiary's
account latest before the next settlement cycle.
• Any credits that cannot be afforded to the beneficiary's account would be returned
during the next settlement cycle failing which the credits would be assumed to
have been effected.
• The settlement cycles under the SEFT Scheme will be distinct from the existing
EFT Scheme, which will continue to operate even after the introduction of the
SEFT System.
• There would be around 500 cities covered by SEFT - with the number of branches
exceeding 2500.

The Scheme would facilitate timely settlement of pay-in and pay-out under the proposed
T+2 based rolling settlement in securities at the Stock Exchanges.

Procedural Guidelines for Participating Banks

Procedural guidelines detailed hereunder, participating banks and institutions and the
system of computer and communication network through which funds transfer operation
would take place.

Definitions
SEFT Centre: means any office designated by the Nodal Department in each of the
centres to which EFT system is extended, for receiving, processing and sending the EFT
data file and the debiting and crediting of accounts of the participating banks and
institutions for settlement of payment obligations or one or more of these functions.
National Clearing Centre, Mumbai is being designed as the EFT centre.

EFT Data File: means an electronic data file of a batch of payment orders for funds
transfers, processed and consolidated in the manner specified for transmission of
consolidated payment orders and communications concerning payment orders from EFT
service branch to the EFT centre.

SEFT" Service Branch: means an office or branch of a bank or institution in a centre

designated by that bank or institution to be responsible for processing, sending or
receiving EFT data file of that bank or institution in that Centre and to do all other
functions entrusted to an SEFT service branch by or under these Regulations. SEFT
Service Branch is referred to as "Sending SEFT Service Branch" when it originates an
EFT Data File for Funds Transfer. SEFT Service Branch is referred to as "Receiving
SEFT Service Branch" when it receives EFT Data File from SEFT Centre.

SEFT" System: means the Special Electronic Funds Transfer System established by these
Regulations for carrying out inter bank and intra-bank funds transfers within India,
through EFT centres connected by a network, and providing for settlement of payment
obligations arising out of such funds transfers, between participating banks or
institutions.

Execution" of a payment order: in relation to a sending bank means the transmission or

sending of the payment order by it to the EFT Service Branch; in relation to a Service
branch it means transmission of the consolidated payment order in the encrypted EFT
data file to the SEFT centre.

Funds Transfer: means the series of transactions beginning with the issue of originator's
payment order to the sending bank and completed by acceptance of payment order by the
beneficiary's bank for the purpose of making payment to the beneficiary of the order.

Nodal Department: means the Department of Information Technology of Reserve Bank

which is responsible for implementation, administration and supervision of the SEFT
System.

Security Procedure: means the set of procedural guidelines at Paragraphs under the
Sections of these Guidelines for the purpose of

i. verifying that a payment order, a communication canceling a payment order or an

SEFT Data Fie is authorised by the person from whom it purports to be
authorised; and
ii. for detecting error in the transmission or the content of a payment order, a
communication or an EFT Data File.
Sending bank: means the branch of a bank, maintaining an account of and to which
payment order is issued by the originator. When the originator is a participating
institution, reference to sending bank shall be construed as referring to the SEFT centre.

Settlement Account: means an account maintained by a participating bank or institution

for the purpose of settlement of payment obligations under SEFT Systems.

Valid Reasons of Non-payment: are the reasons listed as under due to which beneficiary
bank fails to make payment to the beneficiary. Some illustrative reasons are :

a. Beneficiary not having an account with the beneficiary bank

b. Account Number or account name indicated in the payment order not matching
with the number or name as recorded at the beneficiary bank.
c. dislocation of work due to circumstances beyond the control of the beneficiary
bank such as earth quake, fire etc. at the place where the beneficiary's account
details are maintained etc.

Admission Necessary for Participation

No persons shall be entitled to effect a funds transfer in the SEFT System, unless the
sending bank and the beneficiary bank is admitted for participation in the SEFT System.
To be eligible to apply for admission, an applicant must-

1. be a bank.
2. have attained and continues to comply with capital adequacy norms, if any,
applicable to it.
3. is willing and able to comply with the technical operational requirements of SEFT
System,
4. be approved by the Reserve Bank as eligible to maintain a settlement account
with it.

Provided that, having regard to the pattern of ownership and such other relevant
factors, all or any of the above conditions may be relaxed or dispensed with, if so decided
by the Reserve Bank of India.

Procedure for Admission

Any bank or institution eligible to be admitted in the SEFT System may submit to the
Nodal Department, duly authenticated application. containing full particulars in the form
specified at Annexure-I (Form: SFT-IA)(to RBI Guidelines). Every application shall be
accompanied by an undertaking in the specified form to abide by the Procedural
Guidelines in the event of admission.

SEFT - PROCESS FLOW

The parties to a funds transfer under this SEFT System are the sending bank, the sending
service branch, the SEFT centre, the receiving service branch and the beneficiary
branch.Request for SEFT by bank customer

A bank customer (i.e. sender or originator) willing to avail of the remittance facilities
offered by a sending bank shall submit an "SEFT Application Form" authorising the
sending bank to debit the sender's account and transfer funds to the beneficiary specified
in the SEFT Application Form.

Each participating bank/institution may design the format of "SEFT Application Form". A
model SEFT Application form is given at Annexure-III (Form: SFT-2A).

The sender's request for transfer of funds shall contain no condition other than date on
which funds transfer process should be initiated.

The relationship between the customer (i.e. sender) and the sending bank will be
governed by an Agreement to be executed between them. The Agreement shall govern
every payment order issued by the customer during the period of validity of the
Agreement. A Model Customer Agreement is given at Annexure-IV (Form-2B).

The value of each SEFT transactions shall be for whole rupees only. This stipulation may
be clearly indicated on the SEFT Application Form.

The upper limit for individual SEFT transaction or payment order shall be fixed by the
Nodal Department. Till further advice from the Nodal Department, the limit shall be
Rs.2,00,00,000/- (Rupees two crores only).

A transaction within the SEFT system will be said to have been initiated when the
sending bank accepts a payment order issued by the sender by issuing a "receipt"
indicating the date of initiating funds transfer operation and the likely date on which the
beneficiary bank may make payment to the beneficiary.

If in a single payment instruction, the sender directs payments to several beneficiaries,

each payment direction shall be treated as a separate payment order.

A bank branch may reject a customer's request for funds transfer when, in the opinion of
the remitting branch,

i. the customer has not placed funds at the disposal of the sending bank; or funds
placed is not adequate to cover the sum to be remitted and the service charge; or
ii. the beneficiary details given in the SEFT Application form are not adequate to
identify beneficiary by the beneficiary bank. The essential elements of
beneficiary's identification are :
a. Beneficiary's Name :
b. Centre name :
c. Beneficiary Bank Name :
 d. Beneficiary branch Name :
e. Beneficiary's Account Type :
f. Beneficiary's AccountNo :

(items (a) to (d) could be codified also :

the sending bank shall prominently display at its premises the cutoff time schedules up to
which shall receive the SEFT Application Forms from its customers for different
settlements.

SEFT Scroll

The sending bank would consolidate the applications received till the cutoff time and
forward the SEFT data to the service branch via the network.

Data Entry at Sending SEFT Service Branch

The sending SEFT service branch shall prepare SEFT Data File by using the software
package supplied by the Nodal Department. Control procedure should be developed by
the sending bank to ensure accuracy in data entry with reference to the data elements
furnished in SEFT file. After SEFT Data File is consolidated from various branches, the
Service Branch should generate consolidated EFT file and transmit the same to the SEFT
centre. There shall be only one service branch per each bank.

National Clearing Cell (NCC) to Function as SEFT Centre

The National Clearing Cell (NCC), of the RBI at Mumbai will be the data processing
"SEFT Centre".

Transmission/Submission of EFT Data File to the SEFT centre

The remitting service branch shall transmit the EFT Data File to the SEFT centre by
using the communication network designated by Reserve Bank.

The data files would be transmitted to National Clearing Centre in such a manner that
they reach well before the settlement zones to be notified by the Nodal Department. To
begin with three settlements would be conducted at 12.00 noon, 2.00 p.m. and 4.00 p.m.
on week days and 12 noon and 2,00 p.m. on Saturdays.

Receiving NCC transmitting NCC Data File to the Beneficiary Banks

After consolidating all EFT Data File received from the participants the NCC shall
process the data and generate the settlement of each beneficiary bank with at least one
inward remittance transaction would have an NCC Data File.
NCC Data files generated for the banks will be available in the secure website and each
bank needs to download the file immediately after the conclusion of each settlement
zone. Data validation at receiving SEFT Service Branch

On receipt of the NCC Data File, the receiving SEFT service branch shall first validate
the file using the validation routine provided in the SEFT package. Apart from the
validation with reference to the encryption key exchange with local NCC and checksum
total for the entire file, the package would validate the individual records as well.

Payment to Beneficiary by the Beneficiary Bank

The service branch should transmit the branch wise data immediately as receipt from
National Clearing Centre.

The branches would make payment to the beneficiaries on the same day by crediting the
specified account of the beneficiary or otherwise placing funds at the disposal of the
beneficiary. Revocation of Payment Order

A payment order issued for execution shall become irrevocable when it is executed by the
sending bank. Any revocation, after the payment order is executed by the sending bank
shall not be binding on any other party in the SEFT system.

Acknowledgement by the Beneficiary Bank

No acknowledgements are envisaged under SEFT Scheme. A message, which is not

returned unaffected before the next settlement zone is treated to have been completed and
credited afforded to the beneficiary's account by the beneficiary branch. It is therefore
vital that unaffected credits are re-transmitted back as fresh EFT transactions at the next
settlement itself.

Sender to be Advised in Case of Refund

If the beneficiary specified in the sender's payment order fails to get payment through the
SEFT system for some valid reasons, the sender shall be informed immediately after the
sending bank gets the returned EFT. The sending bank shall also arrange to make
payment to the sender by crediting the account of the sender or otherwise placing funds at
the disposal of the sender.

Beneficiary Bank to Advise the Beneficiary of the Payment

After crediting the account of the beneficiary, the beneficiary bank shall advise the
beneficiary of the payments made. The Statement of account/Pass Book entry shall
indicate briefly the source of funds as well.
The sender/originator shall be entitled to claim interest at the Bank Rate from the sending
bank for the period of delay in the completion of funds transfer, and/or any other penalty
which may be levied/decided by RBI

In case of holiday at beneficiary branch. They have to effect the credit as the same day or
latest at commencement of business on the next working day.

Special Electronic Funds Transfer - Electronic Transfer of Inter-Bank Funds - Part:

2
INTER-BANK SETTLEMENT

Inter-bank Funds Settlement at Reserve Bank

Every participating bank and admitted institution shall open and maintain in every SEFT
centre a settlement account for settlement of payment obligations arising under the funds
transfer executed under the SEFT system.

RIGHTS AND OBLIGATIONS

General rights and obligations of participating banks or institutions

a. Every participating bank or institution admitted in the SEFT System shall, subject
to compliance with the procedural guidelines, be entitled to execute any payment
order for Funds Transfer to a beneficiary of the payment order, issued or accepted
by it.
b. Every participating bank or institution shall maintain the security, integrity and
efficiency of the System.

Obligations of Sending Bank

i. The sending bank shall not execute a payment order without complying with the
security procedure. No payment order shall be accepted for execution in the SEFT
System if the beneficiary's bank / branch is not a participating bank or institution.
ii. The sending bank shall be responsible for the accuracy of the name of the
beneficiary, the nature and style of the account and account number of the
beneficiary, the name of the beneficiary's bank and the authenticity of every
payment order executed by it.
iii. The sending bank shall bear the liability for loss if any caused to any participant
in the SEFT System on account of the acceptance by it of any revocation of a
payment order after it has executed it.
iv. The sending bank shall not be entitled to bind any other participants in the SEFT
System with any "special circumstances" attached to a payment order accepted by
it.
v. The sending bank shall maintain duly authenticated record of all payment orders
executed by it for a period for which bank records are required to be preserved
under the applicable rules.
 vi. The sending bank shall, upon completion of funds transfer of a payment order,
furnish to the originator on request by him, a duly authenticated record of the
transaction.

Obligations of the Sending SEFT Service Branch

i. The sending SEFT Service Branch shall be responsible for the accuracy of the
contents of EFT data file and the authenticity of the payment orders contained
therein as received by the SEFT Centre in compliance with the security
procedures.
ii. The sending SEFT Service Branch shall be responsible for settlement of all
payment obligations in regard to payment orders executed by it.
iii. The sending SEFT Service Branch shall be responsible for ensuring execution of
the EFT data file complying with security procedures and time schedule.
iv. The sending SEFT Service Branch shall ensure, before execution of any EFT Data
File that the balance in its settlement account are adequate to cover its settlement
obligation and ensure that the ceiling, if any, specified for it is not exceeded and
the requirement of collateral if specified by the Nodal Department is adequate for
execution of the EFT data file executed by it.

The sending SEFT Service Branch shall generate, dispatch and maintain records of
transaction in accordance with procedure specified.

Obligations of SEFT Centre

i. Receiving SEFT Centre shall be responsible for receiving and processing the Data
Files complying with the security procedure and time schedule specified for the
purpose.
ii. The SEFT Centre shall in compliance with time schedule and security procedure,
process and sort out the Data File bank-wise and after crediting the settlement
accounts with the corresponding value, transmit the NCC Data Files to the
respective receiving SEFT Service Branches.
iii. The SEFT Centre shall generate, dispatch and maintain records of transactions, in
accordance with the procedure specified.

Obligations of the Receiving SEFT Service Branch

i. Receiving SEFT Service Branch shall be responsible for receiving NCC Data File
from the receiving SEFT Centre in compliance with the security procedure.
ii. Receiving SEFT Service Branch shall process the NCC Data File in compliance
with the security procedure and sort-out the payment orders into branch wise lots
and transmit to the respective branches the payment orders for execution in
accordance with the time schedule and in compliance with the security procedure.
iii. Receiving SEFT Service Branch shall generate, dispatch and maintain records of
transaction accordance with the procedure specified.
Rights and Obligation of Beneficiary Bank

The beneficiary bank shall execute the payment order on the SEFT working day on which
the payment order is received by it unless it notices one or more of the following
deficiencies.

a. The beneficiary specified in the payment order has no account or the account of
the beneficiary maintained by the beneficiary's bank does not tally with the
account specified in the payment order
b. The beneficiary bank is prevented by instructions of the beneficiary not to give or
receive any credit to the account.
c. The account designated in the payment order isclosed.

The beneficiary bank may reject a payment order on one or more of the grounds
mentioned in Clause (1) above. The beneficiary bank shall notify, in the manner
specified, the sending bank of the rejection of the payment order along with the reasons
thereof.

Processing Charges :

A charge shall be levied by the SEFT centre for SEFT processing. The current rate is
Rs.2/- per transaction.

Centralised Funds Management System (CFMS) & Real Time

Gross Settlement System (RTGS)

Payment & Settlement Systems

The Payment and Settlement System is an essential part of the financial system of a
vibrant economy. Consolidation, Development and Integration of the financial
infrastructure and reforms in the payment and settlement systems of the country that
address the twin issues of safety and efficiency have been engaging the attention of the
Central Bankers and Financial Institutions the world over. Payment and Settlement
Systems are no longer the backwaters of either the banks or the Central Banks.

The Reserve Bank attaches utmost priority and importance to the establishment of an
integrated payment and settlement system in the country. A number of initiatives have
either already been implemented or are in an advanced stage on the drawing board.
Identification and classification of the Systemically Important Payment System (SIPS)
have been done and various measures have been initiated to facilitate real time or near
real time large value inter-bank funds transfer in secured environment.

RBI Project for Centralised Funds Management System

The Reserve Bank has started the process of putting in place a Centralised Funds
Management System for the benefit of the banks in the year 1998-99.. The Centralised
Funds Management System envisages connecting all the Deposit Accounts Department of
the Reserve Bank located at seventeen Regional offices with the Apex Level Server
located in Mumbai. The centralised funds management system (CFMS) facilitates funds
and treasury managers of commercial banks, which are ready with the infrastructure for
obtaining the data in a networked environment to query & obtain the consolidated and
account-wise, centre-wise position of their balances with all the Deposit Accounts
Departments of the RBI, installed at the various RBI locations . The system envisages
periodical updation of Current Account balances in the Apex Level Server whenever a
transaction is put through at the local or remote Deposit Accounts Department. The Bank
Level Server will be able to query the Apex Level Server to check on its "global" or
overall funds position. Eventually, funds transfer facility will be made available. While
the first phase of the system covering the centralised funds enquiry system (CFES) has
been made available to the users, the second phase comprising the centralised funds
transfer system (CFTS) would be made available by the middle of 2003. So far, 54 banks
have implemented the system at their treasuries/funds management branches

Real Time Gross Settlement System (RTGS)

THE National Payments Council was set up by the RBI in May 1999 under the
Chairmanship of Mr. S. P. Talwar, Deputy Governor, RBI, focusses on the broad policy
parameters for designing and developing integrated payments and settlement systems,
with the proposed Real Time Gross Settlement System (RTGS) as its core.

Reserve Bank of India launched the project to construct a Real-Time Gross Settlement
System (RTGS), which will allow secure inter-bank payments throughout the country.
The system is planned to eventually interface to all RBI sites, as well as other member
banks across the country. This project is to provide significant benefits to individuals and
businesses throughout India. By underwriting all payments with collateral held at the
Reserve Bank of India, the RTGS system will reduce systemic risk in the Indian banking
system, thereby providing increased integrity and security for all interbank transactions.
With the progress in liberalisation in banking and financial sectors, the increasing
sophistication & specialisation, emergence of a pure inter-bank call/notice and term
money market, and introduction of Real Time Gross Settlement (RTGS), funds would
flow freely from one market to another leading to better integration of the domestic
financial markets among themselves, and with international financial markets as well
requiring the banks to adopt strategies to benefit out of the developments which would be
possible with a technology thrust

Speaking about RTGS, the Governor RBI, DR.Bimal Jalan has made the following
obsevations at 22nd Bank Economists Conference, New Delhi, on 15th February, 2001

"Real Time Gross Settlement (RTGS) is generally regarded as the cornerstone of an

integrated payments system. Setting up an RTGS environment has became the focal point
of payments system reforms all over the world. Access to major financial centres and
cross-border payments systems is becoming conditional to the availability of a full-
fledged domestic RTGS. Apart from providing a real time funds settlement environment,
RTGS is critical to an effective risk control strategy for preventing domino effects of
individual defaults. In the context of internationalisation of the financial sector, RTGS
provides both the technology and process controls to manage risks better.

"The preparation of the financial system for the implementation of RTGS has been a
priority for the Reserve Bank. Considerable progress has already been made. The main
processing system for RTGS is in place at the National Clearing Cells at the four
metropolitan cities. The system would provide large value fund transfers with settlement
on a gross basis. The Reserve Bank has taken a number of steps towards the development
of the Payment System Generic Architecture Model for both domestic and cross-border
payments. The Model conceives networking of computerised bank branches, with their
controlling offices, central treasury cells and head offices with the proviso for introducing
standardisation of operating system and networking platforms within the bank and a
bank-level standardised gateway to INFINET. System Requirement Specifications would
take into account the international best practices and the specific requirements of Indian
banking. Extending the spread and coverage of the INFINET to cover all commercially
important centres in the country, development of the Structured Financial Messaging
backbone for exchange of financial messages based on international standards,
integrating various segments of the payment and settlement system and consolidation of
the various Deferred Net Clearing Settlements constitute the action plan for 2000-01."

Calendar of Implementation Planned

The Real Time Gross Settlement System on implementation will be a defining moment in
the history of the Payment and Settlement Systems in the country. It will be, in fact, a
significant step towards the creation of an integrated, robust, safe, secure and modern
Payment and Settlement System and I am sure all of you are looking forward to be part of
the revolution.

The roadmap for the implementation of the RTGS System is envisaged as follows.. In
June, 2003, a demonstrable RTGS package for testing and familiarization is to be ready.
It will be like an induction platform for the banks to the RTGS Standalone System, which
will be delivered in October, 2003. After completion of testing and acceptance, RTGS
system will become operational before year-end.

RBI has been building up awareness about the RTGS System. Already a series of
Workshops and Seminars have been organized for your Treasury and IT Heads. RBI has
also organized a 'Seminar on Liquidity Management in RTGS Environment' to apprise
you of the challenges that banks may face on the operationalisation of the RTGS System
and the manner in which they have to control and co-ordinate liquidity management
measures to derive optimal benefits from the RTGS System.

It cannot be disputed that that the technological innovations, in general, have been at the
core of the reform process in the services sector globally and the financial sector, in
particular. For the last so many decades, it has been driving the business re-engineering
process in our banking industry. RBI, have been actively studying these developments
and readying itself to provide for a technology framework and operating environment,
conducive to the banks. Some of the initiatives that have been undertaken are -

A reliable communication backbone to facilitate improvement in financial services, the

Reserve Bank of India has, through IDRBT, set up the INFINET - a 'Closed User Group'
network as the exclusive domain for the applications of the entities in the banking and
financial sector. As you all know, the INFINET is a blend of VSAT technology and
terrestrial leased line technology based Wide Area Network. INFINET provides for the
robust and reliable communication backbone for the implementation of all the
Systemically Important Payment System Applications.

Reserve Bank's concerns and focused attention on the twin issues of security over the
INFINET and message standards for intra/inter-bank applications have led to the
development and implementation of the Structured Financial Messaging System (SFMS),
a standard messaging protocol, which would be riding on the INFINET communication
backbone. SFMS has adequate in-built security and with Public Key Infrastructure (PKI),
provides for a security solution of international standards. SFMS will also act as an
alternative for accelerating the integration of the branches of the banks.

Secondly, a state-of-the-art, robust and secure platform - IBM S-390 System with a
complete standby installation -- has been made operational in Mumbai centre to ensure
the availability of the requisite technical infrastructure, capable of robustness, operational
resilience and redundancies to ensure Business Continuity. The Disaster Recovery Site is
being set up at a geographically distanced location from Mumbai.

End-user Preparation

These efforts are incomplete without the total involvement and participation of the end-
users of the payment and settlement system. The proverbial "last mile" problems will
have to be resolved. In order that the benefits, as conceived of under the Integrated
Payment Systems Architecture in the country, cascade down to the smallest branch of
every bank and to every customer, end-users will have to be in an extremely high level of
preparedness in terms of systems and operational processes, technology and human
resources, to make the most of these and the newer opportunities, arising due to the fast
changing canvas.

In the area of Information Technology, specific attention will have to be paid to the TEN
Core Issues, which RBI has advocated. These are fundamental to the participation and
realization of optimal advantages from the RTGS System round the corner.<./P>

1. A Payment System Gateway as the Single Point of Interface with the INFINET
for participation in the Systemically Important Payment System Applications :
2. Connectivity between the Payment System Gateway and the Primary Site and
Standby Site of the RBI.
3. Computerisation of bank branches with Connectivity.
4. Setting up of intra-bank intra-city leased line network.
 5. Connectivity with the Hub at each RBI site under the 21-centre Intercity Leased
Line Network of the INFINET.
6. Synchronous Systems across the bank - Hardware, Operating System and
Communication Platform.
7. IDRBT CA CPS, Implementation of PKI and Creation of Registration Authority.
8. Uniformity in Message Format for Inter/Intra bank Applications across the
banking sector and Implementation of SFMS.
9. Internal Applications of the bank and Interface with the RTGS System.
10. Development, Documentation and Implementation of the Information Systems
Security Policy in the bank.

Quite a few of the above requirements have already been met by the majority of the
banks . Most important and critical among these are the Connectivity and Security Issues.
Unless all bank branches are networked, the benefits of a secured and modern Payment
System will not percolate to the end-users of the banking system i.e. the ordinary public.
Further, unless the security features of the entire Transaction Cycle are enhanced to the
level of international standards (which is being sought to be achieved through the
implementation of the PKI and use of Digital Certificates), the common man will not
repose his full confidence in the Electronic System of Funds Transfer. That is why, the
RBI has been emphasising 'Connectivity' and 'Security' as the Core and Critical Pre-
requisites, to be duly addressed by the banking sector for participation in the RTGS
System

The RTGS system will be a mode for large value inter-bank settlement, to be widely
used, for enhancing your risk control measures, for faster and efficient settlement of your
liabilities and for better customer services for the ultimate users in the value chain. The
success of this system will be one more step towards realizing our objectives of a
modern, secure, resilient and Integrated Payment and Settlement System in the country.
We are sure that all of us will be partners in this step forward.

Real-Time Gross Settlement System (RTGS) - PART: 2

In the year 1998-99, Reserve Bank of India launched the project to construct a Real-Time
Gross Settlement System (RTGS), to allow secure inter-bank payments throughout the
country. The system is planned to eventually interface to all RBI sites, as well as other
member banks across the country. The project is currently under implementation.

At the bedrock of the design of an integrated payments and settlement system is the Real
Time Gross Settlement (RTGS) system. The Real Time Gross Settlement system is being
designed to provide large value funds transfer and settlement in an on-line real time
environment to the banking industry, with settlement on a gross basis. An integral
component of the Real Time Gross Settlement system will be the Delivery versus
Payment module for trading and settlement in Government Securities transactions. The
system would have link with other netting systems like Clearing, Automated Clearing
House transactions comprising of Electronic Clearing Service, Retail Electronic Funds
Transfer, all Plastic Money and Smart Card transactions and Electronic Funds Transfer at
Point of Sale(EFTPOS). Work in setting up the RTGS system has already started in the
Reserve Bank with the setting up of a Working Group for the Appointment of Consultant
for the implementation of the RTGS project. In fact, Request for Proposals have been
invited from leading vendors intimately associated with Payment System applications.

The RTGS project is designed to provide significant benefits to individuals and

businesses throughout India. By underwriting all payments with collateral held at the
Reserve Bank of India, the RTGS system will reduce systemic risk in the Indian banking
system, thereby providing increased integrity and security for all interbank transactions.

The RTGS provides for real-time processing and settlement of funds transfers. The first
phase of the project calls for creation of an Integrated Accounting System (IAS) to handle
all internal and interbank accounting transactions for RBI. This new core banking system
will handle all general transactions and central accounting for RBI, including the bank's
general ledger.

The RTGS will employ two sets of queues: one for testing funds availability and one for
processing of debit/credit requests received from the Integrated Accounting System.

All transactions will be queued and submitted for funds availability testing on a first in-
first out basis, i.e., all transactions will be queued in the order in which they were
received and the oldest transaction in each participant's queue will be tested first.
Transactions which fail a funds availability test will be returned to the payment queue to
be retested periodically. An optimizing algorithm will scan the queues periodically during
the day to identify potential gridlock situations.

Payment messages from a sending bank to the Reserve Bank will be processed through
an intermediate processor-the Inter-Bank Funds Transfer Processor (IFTP). RBI's
software will be supplied to member financial institutions to enable their direct
participation in the RTGS system.

The system is stated to be highly scalable. It is designed to handle high volumes

including a very high peak.

The RTGS system will be developed on the IBM mainframe S/390, and the operating
system will be OS/390. The security infrastructure will be PKI-based. The project will
employ point-to-point remote copy for back-up and restore operations, meaning that the
backup server will be a few miles from the main site, connected over fiber optic
infrastructure.

Standardisation of Operating Systems, Systems Software and Application Software

One of the major issues plaguing the banking industry is the lack of standardisation. For
the payment system reform to take-off successfully, the standardisation of operating
systems, systems software and application software throughout the banking industry is a
necessary condition which may have to be pursued.
This issue was discussed in-depth by the Committee on Technology Upgradation in the
Banking Sector, set up by the Reserve Bank of India. The Committee has recommended
the need for standards in various areas apart from highlighting the need for an appropriate
institutional arrangement for key management and authentication by way of a
certification agency. The Report also recommended adoption of the widely used
cryptography procedures to prevent data tampering during transmission. This is to be
implemented at the application level supplementing the security already provided at the
network level, in view of the critical nature of financial message transfer over
communication networks.

RBI has standardised their message formats in tune with accepted international standards.
A Working Group on the Design of Message Formats has been formed for this purpose.
The Group has finished phase one of its activity. Message formats for applications such
as Customer Payments and Cheques, Financial Institution Transfers, Treasury Markets,
Collections and Cash Letters, Securities Markets, Documentary Credits and Guarantees,
Cash Management and Customer Status and Common Group Messages have already
been finalised. The work of designing the message formats pertaining to Government
Account Transactions, Currency Chest Transfer, and some segments of Government
Securities Transactions will be completed in phase two by the Working Group. In
addition, the RBI has also constituted a few sub-groups for standardisation of different
information technology components like networking products and system software.
These measures have been initiated as the INFINET is essentially an Internet Protocol
(IP) and all the applications should be built around TCP/IP, to optimise use of the
communication resources and to facilitate smooth implementation of the applications on
the network.

Coupled with computerisation of branches of the banks, the Reserve Bank has been
exhorting the banks to network their branches for intra-bank connectivity for addressing
the twin issues of intra-bank funds transfer and transmission of critical MIS information
between the branches and the controlling offices. Intra-bank connectivity will ensure that
Treasury or Funds Department is connected to the Controlling office on the one hand and
with the large business centres on the other hand. This will provide the bank a global
vision of its funds position and optimal utilisation thereof.

Source: Inaugural address by Shri Vepa Kamesam, Deputy Governor, Reserve Bank of
India
at a meeting with CMDs of banks on July 21, 2003]

Real-Time Gross Settlement System (RTGS) - PART: 3 - Roll-out Strategy

for RTGS Implementation

As per the statement of Mr.Vepa Kameswaran, Deputy Governor, Reserve Bank of India
conveyed at a meeting with CMDs of banks on July 21, 2003 the implementation of the
RTGS Project has progressed significantly and is now critically poised.. The RTGS
System is scheduled to be delivered by the end of October, 2003, followed by installation,
testing and commencement of parallel run before the year-end.
There will be a single RTGS System for the country and all participants have to make co-
ordinated and concerted efforts to ensure that the entire nation optimally benefits from the
introduction of the RTGS System.

One of the primary objectives of every Central Bank is to put in a place a modern, robust,
secure and integrated Payment and Settlement System to enable the common man to
make payments to anyone he likes in the most efficient and cost effective manner. The
ultimate beneficiary of the Payment System has to be the ordinary bank customer. In fact,
our vision has been "Anyone can make payments to whomsoever one likes, whenever
one likes, in whatever type of currency one likes, at the cost of a few cents per
transaction. There are no settlement delays or mountains of paperwork and value is
received instantaneously. There are no distinctions in costs or delays between a domestic
and a foreign currency transaction. Interest is computed real-time rather than on a
"settlement day", a relic from the ancient times, when accounting was done manually.
Finally, privacy and security are guaranteed."

The RTGS System will facilitate large value inter-bank payment and settlement in real
time online mode on a transaction by transaction basis. It will enhance systemic
efficiency and minimise the existing settlement risks. In fact, the RTGS System the world
over has come to be regarded as the sine qua non of every advanced economy.

The Dy.Governor pointed out that a lot of spade work has to be done before the RTGS
System could be introduced. A number of pre-requisites such as the availability of
industry-wide communication network, reliable, resilient and state-of-the-art computer
platform for the implementation of the Systemically Important Payment System
Applications including the RTGS System, facilities for electronic based payment and
settlement, standardization of message formats for inter and intra bank applications,
robust messaging system with facility for security of international standards, proper
business process re-engineering by each RTGS Participant and last but not the least,
facilities for advanced Liquidity Management, will have to be met, so that the goals of
the RTGS System could be realized.

A lot of preparatory work, in fact, has already been done. The IBM S/390 Mainframe
Systems, which include Standby facilities to ensure minimal interruption in the
availability of services, have been operationalised to serve as the platform for the
implementation of the Systemically Important Payment System Applications including
the RTGS System. The Indian Financial Network (INFINET) has been operationalised
for integrating the entire banking and financial sector. The Centralised Funds
Management System (CFMS) has been operationalised to provide you on-line
information on your aggregate funds position, maintained across our offices. Under the
CFMS, fund transfer facilities between the RBI offices will be available shortly. This will
help the Banks towards the efficient deployment of their funds. RBI has also
implemented the Structured Financial Messaging System (SFMS) on the lines of SWIFT
and Public Key Infrastructure (PKI) to facilitate transmission of messages inter/intra-
bank in standardized formats across the banking and financial sector with adequate
security. As all of you are aware, our Institution for Research and Development in
Banking Technology (IDRBT) at Hyderabad has become the Certifying Authority (CA)
for the Banking and Financial Sector for all the applications implemented over the
INFINET. The INFINET provides for the communication backbone for all the
Systemically Important Payment System Applications. The Disaster Recovery Site for the
Systemically Important Payment System Applications has also been set up.

This is a Project of national importance and therefore, necessary awareness about the
proposed RTGS System has to be built up. For the purpose, RBI has been conducting
RTGS Awareness Programmes for various target groups in the banks such as Treasury In-
charges, IT Heads, Operations Staff, Faculty Members of the banks' Training Institutes,
Business Development Teams etc.. RBI personnel have also been visiting banks to hold
RTGS Awareness Programmes. They have also been regularly meeting with your RTGS
Nodal Officers to take stock of your preparedness for participation in the RTGS System.

The Chiefs of the banks have to play the role of a Catalyst to build up the critical mass of
opinion in their respective organizations in this regard. Thy will not only have to facilitate
internal dissemination of information on the RTGS System, but will also need to ensure
complete infrastructural and human resources readiness including connectivity and
security at your respective ends, so that the RTGS facilities could percolate to the
ordinary customers.

Commercial banks have already initiated necessary actions. They have already put in
place the Payment Systems Gateway, the box that is going to host all the Payment System
applications including the RTGS module for the banks, called the Participant Interface
(PI) and connected it to our Primary and Standby sites. Limiting the preparedness only to
this will facilitate transfer of large value funds among the bankers only and the customers
at large may not benefit from the RTGS System, defeating one of our primary goals in
this regard. Therefore, Banks will have to take urgent steps to ensure that all their
branches including those in the country side are networked. Further, the security
infrastructure for message transfer in the form of Public Key Infrastructure (PKI), as per
IDRBT CA, will also have to be urgently implemented in all banking organizations,
covering all the branches, which will be offering RTGS services to the customers. It is
essential that not only those of us who live in cities, but the ordinary customers in the
country side must also enjoy the fruits of our efforts and in fact, should also be the target
group for all our new initiatives.

The RTGS facilities will have to be available at every nook and corner of the country and
therefore, the required network has to be in place for the purpose. SFMS is already web-
enabled and ready for use. Here, it is worth cautioning that any indecisiveness/delay on
the part of the individual banks to provide the requisite cost effective and efficient
systems for the purpose will only deprive their customers of the RTGS benefits and it will
not be an unusual scene to be countenanced in the days to come, when exodus of
customers will take place to fully RTGS-enabled bank branches.

Further, the introduction of the RTGS System will require business process re-
engineering in the banks. Therefore, bank authorities will require to re-visit the existing
procedures/processes in their respective organizations. It is to be pointed out that the
recycling of the existing procedures/processes in the unfolding RTGS environment will
not help you optimally realize benefits from the RTGS System. The RTGS System will
provide real time online gross settlement of the payment transactions depending upon the
availability of sufficient liquidity in your Settlement Accounts and therefore, proper
liquidity management will assume significantly greater importance and acquire real time
dimensions for each one of you. This will require process re-engineering, to be addressed
by by every bank and the procedural changes will have to be duly communicated and in-
grained in your field functionaries, the front line interface with the ordinary customers.
The whole customer banking will have to be re-oriented and the customers will also
require to be educated, as the RTGS System will be a credit transfer system only as
against the current cheques/instruments based systems, which are debit transfer systems.

The implementation of the RTGS System will also open up newer avenues for product
innovation, arising out of Intra-day liquidity management and the consequential financial
support to be extended to other RTGS participants with inferior Liquidity Management
infrastructure. Further, the fee based RTGS services extended to the customers will also
provide a source of additional revenue. All banks will also require to focus on these areas
to optimally benefit from the introduction of the RTGS System.

Last but not the least, on account of the online real time payment and settlement under
the RTGS System and the settlement taking place in the books of the Central Bank, being
authenticated by way of time-stamp by the RTGS System itself, banks may be cautioned
that the availability of float funds will either disappear or will be minimised. In the light
of this, they may also need to take a hard look at the pricing structure of their products.

The introduction of the RTGS System is expected to bring in far reaching changes in
regard to large value inter-bank funds transfer in the country. Let us prepare ourselves to
make the most of this revolutionary change.

Public key infrastructure (PKI)

What is PKI

Public key infrastructure (PKI) systems offer authentication in transactions.. PKI

provides an electronic identity to a person through the issuance of a digital certificate and
a private cryptographic key, usually stored in a secure media such as a smart card or an i-
key or even a floppy disk. The person could make use of the identity to digitally sign
documents or transactions.

Objectives of PKI Software

• To reduce risk of fraud in electronic fund transfers and other treasury activities.
• To Use of a low-cost public network infrastructure and eliminates the need for
dedicated leased lines or VPNs.
• To facilitate real-time cash management with strategic banking partners
 • To ensure that only specific users can access and execute high-value transactions
• To Integrate the software easily with legacy systems

Why PKI

The greatest obstacle to e-business in the financial service sector is the lack of trust and
security over existing and evolving infrastructures. For e-business transactions to
flourish, all parties involved in transactions and communications must be able to confirm
the unique and irrefutable digital identity of each participant before relying on that
information to make a commercial transaction.

But when it comes to making high-value transactions, such as setting up an online cash
management system, even for the so called online banking systems or procuring supplies
through the Internet, there is too much at stake in simply trusting someone just because
he gave the correct PIN or the correct username and password. Developing systems that
are able to provide firm authentication of customers, suppliers and other parties has
therefore become a major challenge. Public key infrastructure (PKI) systems have
surfaced as the solution to provide trustworthy identities.

In the case of online banking for users, banks need to have a proper system for
authentication of the user. Even though banks have a secure network system for
encrypted data transfer, still the user is identified using the typical username/id
verification process that is vulnerable to hacking. So implementation of PKI makes sure
that the party performing a transaction over the Internet is who he claims to be. Later he
cannot deny that he has not done a particular transaction, if he had used his digital
certificate.

Benefits of the Use of PKI

Through the use of PKI and digital signature, one can prove to a third party or the court
that a particular piece of electronic document is authentic and can be traced to the person
who has digitally signed the document or transaction. This works because the
cryptography and mathematics underlying a PKI system ensure that digitally signed
documents cannot be forged. The digital certificate can be thought of as the electronic
equivalent of the identification card. Thus, the authority which issues the digital
certificates (known as Certificate Authority) must be highly trusted and secure.

Besides security, there are other issues related to PKI - technology, legal framework and
standards. The technology for PKI has been around for more than a decade and is
relatively mature and a number of countries have introduced legislation to recognize the
validity of digital signature.

After introduction of IT Laws by many countries has enabled a standard for business
transactions. Forums like Asia Pacific PKI Forum allows inter-operability to its digital
certifying authority licencees with their counterparts in the member countries of that
region. As financial institutions sign on to these policies and business practices, their
customers will create an extensive global system of known and trusted businesses. Once
certified by a Certification Authority, a trading partner can authenticate any other party
with assurance. Even if a trading partner is from another part of the world, the fact that he
is a certified member (through the trust relationship with his bank) makes trading viable
and reduces the risk of transacting in the global system. By virtue of commonly accepted
standards, trading partners will know that:

• Their transactions are legally binding;

• They have recourse in the event of a dispute or a potential fraud situation; and
• They can place legal and practical trust on the electronic identity issued by any
Certification Authority

How PKI Works

Public Key Infrastructure (PKI)

It is necessary to understand some of the basics of encryption, digital certificates and

digital signatures before examining the components of a PKI.

Encryption overview

• "Encryption" is the term used to describe the process of taking legible data, and
scrambling it into a form that is non-intelligible to anyone who doesn't know how
to unscramble (or "decrypt") it again.
• Encryption processes usually involve a method for encrypting the data and one or
more "keys". The keys are usually a very long number, and are used during the
encryption or decryption process.
• In most cases, the method (or "algorithm") that is used by an application to
encrypt data is common knowledge and the key that is used is kept private.
• There are two main types of encryption - "symmetric encryption" (the same
encryption key is used for encryption and decryption), and "asymmetric
encryption" (different keys are used for encryption and decryption).
• Asymmetric encryption algorithms use two keys - a "public key" and a "private
key". The algorithm usually involves a mathematical step that is very easy to do
one way, but very difficult to do in reverse.

Distinct Features of algorithm

Algorithm is designed such that:

• Anything that is encrypted using the public key can be decrypted with the private
key.
• Anything that is encrypted with the private key can be decrypted with the public
key.
• The keys are generated in such a way that it is not possible to determine one key
if you know the other.
This method of encrypting data using a widely publicized public key and separate private
key is also called "Public Key Cryptography" and is the type of encryption that is utilized
by digital certificates.

Digital Certificates

A meaning for "certificate" is "A document testifying to the truth of something". A digital
certificate is an electronic "certificate" that contains information about a user and is used
(among other things) to verify whom the user is. Digital certificates make use of Public
Key Cryptography. The public key is stored as part of the digital certificate. The private
key is kept on the user's computer, or in some hardware such as smart cards, i-keys etc.

Digital certificates are based on the IETF X.509 series of documents.

The main uses of digital certificates are:

• Proving the identity of the sender of a transaction, non-repudiation and checking

the integrity of transmitted data (via the use of digital signatures).
• Encryption
• Single sign-on (the digital certificate can be used as an authorization key to
connect to computer systems.)

If digital certificates are to be used for security and identification purposes, all of the
following conditions must be met:

• Every certificate is unique.

• The owner of a certificate has been fully identified. All digital certificates are
signed by the Certificate Authority (CA) that issues it. In issuing a certificate, the
CA is basically saying that they have identified the user, and the user really is who
they claim to be. To be able to trust a digital certificate, the CA needs to have fully
identified the customer before issuing the certificate (or be satisfied that some
other entity has adequately performed such identification).
• A private key can only be used by the owner of the certificate. As with all
authentication schemes, the onus is on the user to keep the private key private.
Usually a password, a smart card or biometric device is used to lock the private
key and prevent others from using it.

Digital Signatures

A digital signature is used to verify the integrity of a block of data. Digital signatures are
also used to verify the identity of the person who sent the transmission.

A digital signature is created as follows:

• A "digest" of the data is created. The digest is a short length of binary information
and is based entirely on the contents of the data. A hashing algorithm such as
 MD4 or SHA is used to create the "hash" or digest. Hashing algorithms are
designed such that changing just one character in the message would result in a
different hashed value.
• The hash is then encrypted using the private key of the person who is sending the
message.
• The encrypted digest is known as a "digital signature" and is attached to the
message when it is sent.

When the message is received:

• A hash of the message is again created, using the same hashing algorithm.
• The sender's public key is used to decrypt the digital signature, and this is
compared to the digest of the message that has been generated by the receiver's
software.
• If both hashes are the same, then the data in the message has not been altered
during transmission.

Given that only the owner of the digital certificate can create the digital signature
(because they are the only person who has access to their private key), attaching a digital
signature to a transmission also proves the identity of the person who sent it.

Public Key Infrastructure

A Public Key Infrastructure (PKI) is made up of various software based services and
encryption technologies that are used to facilitate trusted and encrypted transactions over
an insecure network.

Digital Certificates are used in most practical implementations of a Public Key

Infrastructure.

The PKI for an organization typically includes the following components:

• Digital certificates - one for each user and server.

• A Certificate Authority (CA) responsible for issuing certificates.
• One or more Registration Authorities (RA) that are responsible for identifying
users during the digital certificate registration process.
• A Directory service - used to store information about users, including their public
key.
• The Directory service is usually based on the LDAP or X.500 protocols.
• Software that is capable of using digital certificates

Certificate Authority (CA)

A Certificate Authority (CA) is a third party that is responsible for issuing digital
certificates to users. Each digital certificate that the CA issues, is digitally signed by the
CA's private key.
This is to ensure that the digital certificate has not been tampered with.

Each CA has its own procedure for identifying users. The procedure is usually listed in
the CA's Certificate Practice Statement (CPS). Identification procedures range from little
or no identification, through to a user having to provide 100 points worth of ID before
being issued with a digital certificate.

Ideally, a CA is trusted, and always follows their advertised Certificate Practice

Statement.

Typically, browser software (for example, Niyamas Tyootelery) gives users the option of
marking a given CA as trusted or not trusted. A Certificate Authority also runs and
maintains the server that contains the certificate database, maintains a list of any
certificates that have been revoked, and publishes public keys and the revocation list into
a publicly accessible directory service. The CA is also responsible for making sure that
the server itself is physically secure, and that the CA's private key is not compromised.
Certificate Authorities are usually arranged in a "chain" where any given CA has its root
key signed by the next CA up the chain. The CA at the root or the top of the chain signs
its own root key. If a given CA is trusted by a user's software, every subordinate CA
below it in the CA chain is automatically trusted since the trusted CA has vouched for the
trustworthiness of all Certificate Authorities below it.

Registration Authority (RA)

Before a user can be issued with a digital certificate, they need to be identified according
to the procedures of the Certificate Authority that is issuing the certificate. This
registration process is often handled by a separate Registration Authority (RA).

A Registration Authority is responsible for identifying users and notifying the Certificate
Authority that the user is allowed to be issued with a digital certificate. The RA does not
sign or issue digital certificates directly.

SWADHAN, Shared Payment Network Service

Organised by IBA

Foreseeing the escalating demand and need for ubiquitous ATMs in the country, The
Indian Bank Association has promoted SWADHAN in the year 1997 for its member
banks to share their ATMs with other participating banks. The drive is to reduce the huge
investment that is being made by the banks to deploy ATMs in different locations

ATM (Automated Teller Machine) is the foremost among the electronic payment
gateways available in the banking segment. It made its presence in India in the year 1988.
It is a computerized device that enables bank customers to withdraw cash outside banking
hours. ATMs also accept cash and cheques, provide statements, effect transfers. Operated
by cash cards and a personal identification number (PIN), they are placed on outside
walls of banks. Off late, the deployment locations of ATMs include hospitals,
showrooms, shopping malls, and airport.

"Feeling short on cash, don't worry. Just walk over to the nearest automated teller
machine (ATM), insert your card into the card reader, respond to the prompts on the
screen, and within a minute you walk away with your money and a receipt. The story of
the humble cash-dispensing machine started around three decades back. In India, HSBC
set the trend and set up the first ATM machine here in 1987. Since then, they have
become a common sight in many of our metros. With more than 800,000 machines
worldwide, ATMs have made hard cash just seconds away all throughout the day at every
corner of the globe. ATMs allow you to do a number of banking functions -- such as
withdrawing cash from one's account, making balance inquiries and transferring money
from one account to another -- using a plastic, magnetic-strip card and personal
identification number issued by the financial institution."
[ source - http://www.indiainfoline.com/lyas/pefi/bank/atma.shtml]

SWADHAN, India's FIRST Shared Payment Network Service is unsurpassed in offering

countrywide access to the banking operations at more than 1000 ATMs in and around 64
cities. It has 55 member banks in the network, which includes nationalized, private and
foreign banks. SWADHAN provides convenient banking, 24 hours a day and 7 days a
week through the Automated Teller Machines to the participating bank's customers across
the country. With SWADHAN, the bank customers are never far away from an ATM.

The member bank's customer can withdraw money anytime from any of the ATM
irrespective of the bank with which the customer has an account. It offers services beyond
cash withdrawals, like utility bill payment, fund transfer and deposits. SWADHAN
widens the scope of ATM usage in the country in a cost effective manner. A member bank
of SWADHAN can increase its geographical presence without deploying ATMs in all the
locations; instead it can share and use ATMs of other banks, thereby saving a substantial
amount. Likewise, the customer of the bank is highly benefited by having a nation-wide
access to the card, without holding multiple accounts in different banks.

The average transaction per day in the SWADHAN network is around 2500. The largest
and only Shared Payment Network System (SPNS) in India, SWADHAN is posting a
very impressive growth rate since its inception. In 1997, at the start of the network, the
number of ATMs in SWADHAN Network was only around 24, whereas today it is grown
close to 1000 ATMs. Today, in the country, 25% of the ATMs are networked to
SWADHAN. Everyday brings new ATMs and banks to the network.

Being the leading light in Shared Payment Network System for debit cards in India, it has
auspicious plans to provide connectivity to the international payment networks, such as
master card and visa in a very formidable way. It is poised to enable the existing system
for e-payments thereby helping the banks excel in an e-powered service.
With Swadhan it was hoped that Indian banks' customers would be able to benefit from
an ATM pool that solved the problems of single-ATM outlet banks and its attendant
problems of limited access, distance and time.

The main features of Swadhan System

i. No exchange fee charged to change an old ATM card for a Swadhan card.
ii. Rs3,000 fixed as the ceiling on withdrawal.
iii. Exception made for select customers who can withdraw up to Rs.10,000. Still,
this is lower than the average withdrawal of Rs.15,000 by regular ATMs.
iv. IBA gives banks the discretion to decide a higher maximum amount for
withdrawal.
v. Transactions conducted through any of the member banks appear on a bank
statement, which is given only by your own bank.
vi. All transactions conducted in any of the member banks appear on the bank
statement, but only your own bank will provide this

However, no overdraft facility is available on Swadhan cards.

Let's take a look at how the system works. A switch routes all information and
transactions among member institutions. It transmits the information and/or data to the
card-issuing bank or its processor, which approves or declines the transaction request and
notifies the switch. The card-issuing bank's decision is then routed by the switch to the
processor of the ATM, which completes the transaction. At the end of each day, accounts
among members are settled and account balances are transmitted to each member
institution.

BankNet

RBI recognising the pressing need to harness information technology for intra-bank and
inter-bank communication set up BANKNET in 1985. The design and implementation of
BANKNET was entrusted to M/s. CMC Ltd.

The BANKNET infrastructure uses RBInet, which is a communication software to

provide message and file transfer between branches of banks and across banks

Commissioned in 1991, BANKNET is a packet switched X.25 based network with nodes
at Mumbai, Delhi, Chennai and Calcutta, and a switching centre at Nagpur with a mesh
topology. In addition, Bangalore and Hyderabad are connected to Chennai through
remote PADs. IBM 4381 mainframes at the 4 NCCs, connected to nodal Packet Switch
Exchanges (PSEs) through Front-End processors using NCP/NPSI (Network Control
Program/Network Packet Switching Interface), provide messaging facility. BANKNET
uses a store-and-collect transmission logic, provided by the Message Transfer Utility
(MTU), in the systems.
User banks access BANKNET through leased lines at the respective local centres using
asynchronous ports on PADs and PC/UNIX machines with COMET (Computerised
Message Transfer and File Transfer) software, developed in 'C'. The Message Transfer
Utility enables 400 users to login at a time at each IBM node.

COMET has facilities for message creation, deletion, editing, ascertaining status of
messages, listing and receiving acknowledgement etc. It also permits free format
messages of 8 lines of 48 characters each.

Various message format templates, similar to SWIFT formats are available in COMET.
Message formats for funds transfer applications such as TT issue, TT Purchase and TT
Confirmation, Bank transfer on own account, Bank transfer in favour of a third party, etc.
are available. Similarly several message formats for critical data transmission activities
such as reporting weekly statement of accounts, daily and monthly balances of
Government accounts, agency transactions in Government accounts, transfer responding
advices, foreign currency rates, advice of cheques for collection, balance queries, inter-
city advices etc. too are available.

The Electronic Clearing Service

We have at length discussed about INFINET, a high-tech communication facility

established by RBI to take Indian Banking to the new millenium. There can be no better
measure of success of the INFINET than the facility for quick funds transfer. The Reserve
Bank of India has, over the last few years, developed many new products for the benefit
of banks which are all aimed at ultimately improving customer service and systemic
efficiency. One of this - the Electronic Clearing Service (ECS) - is aimed at effecting
electronically, repetitive credits or debits for a large population of customers spread
across a large number of branches of many banks.

ECS (Credit Clearing)

This is a new method of payment whereby the institutions having to make a large number
of payments (such as interest / dividend) can directly deposit the amount into the bank
accounts of the share-holders/ depositors/ investors without having to issue paper
instruments.

Bulk and repetitive payments like interest/dividend are mostly paper based involving
printing of warrants (in costly MICR format) , dispatching them by post (most often by
Regd. post) and reconciliation thereof after payment by the agency banks. The difficulties
are-

• It requires an expensive administrative machinery for printing, dispatch and

reconciliation<
• Bunching of a large number of instruments in clearing results in operational
bottlenecks and pressures on the cheque processing system
• Chances of loss of instruments in transit and their fraudulent encashment
 • The customer has also to keep track of the receipt/non-receipt of the instrument
and take efforts in depositing the instrument to the bank on receipt of the same;
• Banks find processing of such a large volume of instruments not only error prone
and monotonous, but also a strain on the cheque clearing system.

How does ECS (Credit Clearing ) work ?

• Step-1 : The corporate body institution (called "User" ) which has to make
payments to a large number of customers/investors would prepare the payment
data on a magnetic media (i.e., tape or floppy) and submit the same to its banker
(Sponsor Bank).
• Step -2 : The Sponsor Bank would present the payment data to the local Bankers'
Clearing House (managed by Reserve Bank of India at 15 centres and by State
Bank of India or Associate banks at other centres) authorising the Manager of the
Clearing House to debit the Sponsor Bank's account and credit the accounts
(Destination Bank) of the banks where the beneficiaries of the transactions
maintain their accounts.
• Step -3 : On receiving this authorisation, the Clearing House will process the data
and work out an inter-bank funds settlement.
• Step - 4 : The Clearing House will furnish to the service branches of the
destination banks branch-wise credit reports indicating the beneficiary details
such as the names of the branches where the accounts are maintained, the names
of the beneficiaries, account type, account numbers and the respective amounts.
• Step - 5 : The service branches will in turn pass on the advices to the concerned
branches of their bank, which will credit the beneficiaries' accounts on the
appointed date.

How does this Scheme benefit a corporate body / institution?

• Savings in administrative cost presently being incurred for printing of paper

instruments in MICR format and dispatching them by Registered Post.
• Loss of instruments in transit or fraudulent encashment thereof totally eliminated.
• Reconciliation of transactions is made automatic. By the time the ECS cycle is
completed, the user institution gets an electronic data file from its bank with the
date of payment and banker's confirmation thereon.
• Cash management becomes easier as arrangement for funds is required to be
made only on the specified date.
• Ensuring better customer/investor service.
• Paying the way the best companies in the world pay to their share holders/
investors, customers

How does the Scheme benefit the beneficiary customer ?

• Payment on the due date

• Effortless receipt - No need for visiting the bank for depositing the
dividend/interest warrant.
 • Loss of instrument in transit or fraudulent encashment thereof and consequent
correspondence with the company are totally eliminated

ECS (Debit)Clearing -What is Electronic Clearing Service(Debit)?

The Reserve Bank of India has introduced the Electronic Clearing Service(Debit) scheme
to provide faster method of effecting periodic and repetitive payments by 'direct debit' to
customers' accounts(duly authorised) thereby minimising paper transactions and
increasing customer satisfaction. Electronic Clearing Service (Debit) envisages "a large
number of debits and one credit" in the case of collection of electricity bills, telephone
bills, loan installments, insurance premia, Club fees, etc by the Utility Service Providers.

As per the existing system for collection of electricity bills and telephone bills, the
customers/subscribers are required to go to the collection centres /designated banks and
stand in long queues for payment of bills/dues. There would not be any cash transaction
or payment through cheques in the new system. There is an overall limit of Rs.5,00,000
per transaction. Levy of service charges by both sponsoring bank and destination bank is
now left entirely to the discretion of respective banks. A sum of Rs.0.50 p. only is
collected by NCC, RBI towards Clearing House charges. Utility service providers like
MTNL, Telephone/Mobile companies, Telecom Departments, State Electricity Boards,
Banks (for collection of credit cards dues) LIC, Housing Finance Companies,
Intermediaries and Clubs etc are making use of ECS(Debit) Clearing system.

How does ECS(Debit) work?

• Utility Companies, banks/institutions receiving periodic/repetitive payments

towards electricity bills/telephone bills/loan installments/insurance premia
initially collect mandates from their customers / subscribers for collection of
amounts due from them by direct debit to their accounts with banks. The mandate
provides details such as the name, account number, name of bank/branch etc. duly
certified by the bank concerned.
• Based on the details furnished in the mandates, the user company prepares
transaction data on electronic media and submits the encrypted data to the local
Clearing House, through its Sponsor bank.
• After due validation of the data, the local clearing house processes the same and
arrives at the inter-bank settlement as also generates bank-wise/branch-wise
reports(hard copies)
• NCC debits the destination banks' accounts with clearing house and
simultaneously affords a consolidated credit to the sponsor bank's account and
furnishes the bank-wise and branch-wise reports to the service branches of
destination banks.
• Service branches forward the branch-wise reports to the respective branches for
debiting the accounts of customers with the indicated amounts.

Benefits under ECS(Debit)

 • Faster Collection of bills by the companies and better cash management by them
• eliminates the need to go to the collection centres/banks by the customers and no
need to stand in long 'Q's for payment
• automatic debiting to the accounts once the mandates are given by the customers,
to that effect cuts down the procedural delay

Internet Banking in India - Guidelines Issued by RBI

Reserve Bank of India had set up a 'Working Group on Internet Banking' to examine
different aspects of Internet Banking (I-banking). The Group had focussed on three major
areas of I-banking, i.e,

i. technology and security issues,

ii. legal issues and
iii. regulatory and supervisory issues.

RBI has accepted the recommendations of the Group to be implemented in a phased

manner. Accordingly, the following guidelines are issued for implementation by banks.
Banks are also advised that they may be guided by the original report, for a detailed
guidance on different issues.

Technology and Security Standards

a. Banks should designate a network and database administrator with clearly defined
roles as indicated in the Group's report
b. Banks should have a security policy duly approved by the Board of Directors.
There should be a segregation of duty of Security Officer / Group dealing
exclusively with information systems security and Information Technology
Division which actually implements the computer systems. Further, Information
Systems Auditor will audit the information systems.
c. Banks should introduce logical access controls to data, systems, application
software, utilities, telecommunication lines, libraries, system software, etc.
Logical access control techniques may include user-ids, passwords, smart cards or
other biometric technologies.
d. At the minimum, banks should use the proxy server type of firewall so that there
is no direct connection between the Internet and the bank's system. It facilitates a
high level of control and in-depth monitoring using logging and auditing tools.
For sensitive systems, a stateful inspection firewall is recommended which
thoroughly inspects all packets of information, and past and present transactions
are compared. These generally include a real time security alert.
e. All the systems supporting dial up services through modem on the same LAN as
the application server should be isolated to prevent intrusions into the network as
this may bypass the proxy server.
f. PKI (Public Key Infrastructure) is the most favoured technology for secure
Internet banking services. However, as it is not yet commonly available, banks
 should use the following alternative system during the transition, until the PKI is
put in place
g. Usage of SSL (Secured Socket Layer), which ensures server authentication and
use of client side certificates issued by the banks themselves using a Certificate
Server.
h. The use of at least 128-bit SSL for securing browser to web server
communications and, in addition, encryption of sensitive data like passwords in
transit within the enterprise itself.
i. It is also recommended that all unnecessary services on the application server
such as FTP (File Transfer Protocol), telnet should be disabled. The application
server should be isolated from the e-mail server.
j. All computer accesses, including messages received, should be logged. Security
violations (suspected or attempted) should be reported and follow up action taken
should be kept in mind while framing future policy. Banks should acquire tools
for monitoring systems and the networks against intrusions and attacks. These
tools should be used regularly to avoid security breaches. The banks should
review their security infrastructure and security policies regularly and optimize
them in the light of their own experiences and changing technologies. They
should educate their security personnel and also the end-users on a continuous
basis.
k. The information security officer and the information system auditor should
undertake periodic penetration tests of the system, which should include:
i. Attempting to guess passwords using password-cracking tools.
ii. Search for back door traps in the programs.
iii. Attempt to overload the system using DDoS (Distributed Denial of
Service) & DoS (Denial of Service) attacks.
iv. Check if commonly known holes in the software, especially the browser
and the e-mail software exist.
v. The penetration testing may also be carried out by engaging outside
experts (often called 'Ethical Hackers').
l. Physical access controls should be strictly enforced. Physical security should
cover all the information systems and sites where they are housed, both against
internal and external threats.
m. Banks should have proper infrastructure and schedules for backing up data. The
backed-up data should be periodically tested to ensure recovery without loss of
transactions in a time frame as given out in the bank's security policy. Business
continuity should be ensured by setting up disaster recovery sites. These facilities
should also be tested periodically.
n. All applications of banks should have proper record keeping facilities for legal
purposes. It may be necessary to keep all received and sent messages both in
encrypted and decrypted form.
o. Security infrastructureshould be properly tested before using the systems and
applications for normal operations. Banks should upgrade the systems by
installing patches released by developers to remove bugs and loopholes, and
upgrade to newer versions which give better security and control.
Legal Issues

a. Considering the legal position prevalent, there is an obligation on the part of

banks not only to establish the identity but also to make enquiries about integrity
and reputation of the prospective customer. Therefore even though request for
opening account can be accepted over Internet,accounts should be opened only
after proper introduction and physical verification of the identity of the customer.
b. From a legal perspective, security procedure adopted by banks for authenticating
users needs to be recognized by law as a substitute for signature. In India, the
Information Technology Act, 2000, in Section 3(2) provides for a particular
technology (viz., the asymmetric crypto system and hash function) as a means of
authenticating electronic record. Any other method used by banks for
authentication should be recognized as a source of legal risk.
c. Under the present regime there is an obligation on banks to maintain secrecy and
confidentiality of customers' accounts. In the Internet banking scenario, the risk of
banks not meeting the above obligation is high on account of several factors.
Despite all reasonable precautions, banks may be exposed to enhanced risk of
liability to customers on account of breach of secrecy, denial of service etc.,
because of hacking/ other technological failures. The banks should, therefore,
institute adequate risk control measures to manage such risks.
d. In Internet banking scenario there is very little scope for the banks to act on stop-
payment instructions from the customers. Hence, banks should clearly notify to
the customers the timeframe and the circumstances in which any stop-payment
instructions could be accepted.
e. The Consumer Protection Act, 1986 defines the rights of consumers in India and
is applicable to banking services as well. Currently, the rights and liabilities of
customers availing of Internet banking services are being determined by bilateral
agreements between the banks and customers. Considering the banking practice
and rights enjoyed by customers in traditional banking, banks' liability to the
customers on account of unauthorized transfer through hacking, denial of service
on account of technological failure etc. needs to be assessed and banks providing
Internet banking should insure themselves against such risks. (Para 7.11.1)

Regulatory and Supervisory Issues

As recommended by the Group, the existing regulatory framework over banks will be
extended to Internet banking also. In this regard, it is advised that:

1. Only such banks which are licensed and supervised in India and have a physical
presence in India will be permitted to offer Internet banking products to residents
of India. Thus, both banks and virtual banks incorporated outside the country and
having no physical presence in India will not, for the present, be permitted to offer
Internet banking services to Indian residents.
2. The products should be restricted to account holders only and should not be
offered in other jurisdictions.
3. The services should only include local currency products.
 4. The 'in-out' scenario where customers in cross border jurisdictions are offered
banking services by Indian banks (or branches of foreign banks in India) and the
'out-in' scenario where Indian residents are offered banking services by banks
operating in cross-border jurisdictions are generally not permitted and this
approach will apply to Internet banking also. The existing exceptions for limited
purposes under FEMA i.e. where resident Indians have been permitted to continue
to maintain their accounts with overseas banks etc., will, however, be permitted.
5. Overseas branches of Indian banks will be permitted to offer Internet banking
services to their overseas customers subject to their satisfying, in addition to the
host supervisor, the home supervisor.

Given the regulatory approach as above, banks are advised to follow the following
instructions:

a. All banks, who propose to offer transactional services on the Internet should
obtain prior approval from RBI. Bank's application for such permission should
indicate its business plan, analysis of cost and benefit, operational arrangements
like technology adopted, business partners, third party service providers and
systems and control procedures the bank proposes to adopt for managing risks.
The bank should also submit a security policy covering recommendations made in
this circular and a certificate from an independent auditor that the minimum
requirements prescribed have been met. After the initial approval the banks will
be obliged to inform RBI any material changes in the services / products offered
by them.
b. Banks will report to RBI every breach or failure of security systems and
procedure and the latter, at its discretion, may decide to commission special audit
/ inspection of such banks. (Para 8.4.3)
c. The guidelines issued by RBI on 'Risks and Controls in Computers and
Telecommunications' vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated
4thFebruary 1998 will equally apply to Internet banking. The RBI as supervisor
will cover the entire risks associated with electronic banking as a part of its
regular inspections of banks.
d. Banks should develop outsourcing guidelines to manage risks arising out of third
party service providers, such as, disruption in service, defective services and
personnel of service providers gaining intimate knowledge of banks' systems and
misutilizing the same, etc., effectively. (Para 8.4.7)
e. With the increasing popularity of e-commerce, it has become necessary to set up
'Inter-bank Payment Gateways' for settlement of such transactions. The protocol
for transactions between the customer, the bank and the portal and the framework
for setting up of payment gateways as recommended by the Group should be
adopted.
f. Only institutions who are members of the cheque clearing system in the country
will be permitted to participate in Inter-bank payment gateways for Internet
payment. Each gateway must nominate a bank as the clearing bank to settle all
transactions. Payments effected using credit cards, payments arising out of cross
border e-commerce transactions and all intra-bank payments (i.e., transactions
 involving only one bank) should be excluded for settlement through an inter-bank
payment gateway.
g. Inter-bank payment gateways must have capabilities for both net and gross
settlement. All settlement should be intra-day and as far as possible, in real time.
h. Connectivity between the gateway and the computer system of the member bank
should be achieved using a leased line network (not through Internet) with
appropriate data encryption standard. All transactions must be authenticated.
Once, the regulatory framework is in place, the transactions should be digitally
certified by any licensed certifying agency. SSL / 128 bit encryption must be used
as minimum level of security. Reserve Bank may get the security of the entire
infrastructure both at the payment gateway's end and the participating institutions'
end certified prior to making the facility available for customers use.
i. Bilateral contracts between the payee and payee's bank, the participating banks
and service provider and the banks themselves will form the legal basis for such
transactions. The rights and obligations of each party must be clearly defined and
should be valid in a court of law.
j. Banks must make mandatory disclosures of risks, responsibilities and liabilities of
the customers in doing business through Internet through a disclosure template.
The banks should also provide their latest published financial results over the net.
k. Hyperlinks from banks' websites, often raise the issue of reputational risk. Such
links should not mislead the customers into believing that banks sponsor any
particular product or any business unrelated to banking. Hyperlinks from a banks'
websites should be confined to only those portals with which they have a payment
arrangement or sites of their subsidiaries or principals.Hyperlinks to banks'
websites from other portals are normally meant for passing on information
relating to purchases made by banks' customers in the portal. Banks must follow
the minimum recommended security precautions while dealing with request
received from other websites, relating to customers' purchases.

The Reserve Bank of India have decided that the Group's recommendations as detailed in
this circulars should be adopted by all banks offering Internet banking services, with
immediate effect. Even though the recommendations have been made in the context of
Internet banking, these are applicable, in general, to all forms of electronic banking and
banks offering any form of electronic banking should adopt the same to the extent
relevant.

All banks offering Internet banking are advised to make a review of their systems in the
light of this circular and report to Reserve Bank the types of services offered, extent of
their compliance with the recommendations, deviations and their proposal indicating a
time frame for compliance. The first such report must reach us within one month from the
date of this circular. Banks not offering any kind of I-banking may submit a 'nil' report.

Banks who are already offering any kind of transactional service are advised to report, in
addition to those mentioned in paragraph above, their business models with projections of
cost / benefits etc. and seek our post-facto approval.
Designing a System of Computerisation for a Commercial Bank
Complexities of the Task

By virtue of its intrinsic character software development involves complexities in terms

of system analysis and system design. Once this complex processes are simplified by
division of the complex whole through proper system analysis into blocks and modules
for handling, programming is a routine task carried out by a batch of programmers. While
this is so, if we observe the functions, organisational structure and business policies of
commercial banks, we find that the data structure and data flow to be handled and
computerised are really baffling.

Banking and finance are inter-connected activities and are not carried out in isolation
independently by different institutions. We have seen in the earlier web pages the
momentous and systematic planning & implementation of measures by RBI intended
towards reaping the benefit of computerisation by banking & Financial System as a
whole.

It makes insignificant effect if a few branches of a bank are to be computerised without

creating connectivity of different branches and the Head office/administrative offices and
service offices. If one bank alone is computerised in the banking system, the benefits are
at best marginal. Computerisation has to be accepted as a necessary technology for
survival by the entire segment of finance, commerce and banking to be of real benefit and
usher in marvelous results. As we have studied the diverse efforts of RBI for the benefit
of the banking and financial system as a whole, we will now look to the efforts needed at
individual banks or institutions.

Computerisation of Banks - Safeguards & Issues to be Considered

Commercial banks have to handle data in a secured manner protecting on the one hand
the integrity of the data handled/ transmitted and equally safeguarding against the risks of
tampering and fraudulent interruptions by criminals & unscrupulous persons. They have
to maintain as a legal obligation the secrecy of customers' business and personal
information. Since a large number of persons at different geographical centres attend to
Data Input, a system of accountability has to be enforced, for the accuracy and integrity
of each individual entry/transaction at both the operational & supervisory levels.

A commercial bank consists of several branches geographically spread over a vast area
and handling multitude of business transactions; Regional, zonal offices and head office
exercise control functions and also attend to major investment and business policy
decisions. They issue periodic directions to the branches for compliance. The branches
deal amongst themselves and with other institutions for several kinds of agency
transactions. They submit business proposals, control returns and compliance reports for
audit observations to controlling offices and thus regularly interact with the
administrative and head offices.
The branches also deal with other banks located at different geographical destinations
within the country. They have to deal with branches of banks located overseas for
transacting services relating to imports and exports.

The branches are of different kinds, small, medium, large and very large, as also location-
wise as rural, semi-urban, urban and metropolitan. These handle different types of
business-mix. There are also specialised branches handling only foreign exchange
business (financing imports & exports, foreign remittances etc.), branches exclusively
handling financing of small industries, of corporate customers etc.

Similarly the branches deal with distinct types of customers, but broadly these customers
can be classified as individuals (personal banking) and commercial (banking for business
customers). Personal banking involve servicing deposit accounts of different categories,
and retail banking relating to credit delivery (Home loans, loans for purchase of
consumer durable, vehicles, advance against shares & securities, life policies etc. and
provision of services like safe deposit lockers, buying selling securities, investment in
mutual funds etc.) to individual customers. Business/corporate customers need different
types of credit facilities, remittances of funds, collection of receivables, issue of letters of
credit, guarantees etc.

The Regional/Zonal offices, as also head office have to maintain large databases
consisting of information on diverse topics. They may have to maintain inventory of
employees/officers, process pay roll, reconcile inter-branch transactions, scrutinise/audit
MIS return and advise follow-up measures.

Head office of the bank has to handle investment transactions, monitor SLR and CRR, as
also Asset-Liability Management, centralisation and finalisation of accounts, statutory
responsibilities etc.

These diverse functions and processes of the bank have to be computerised in an

integrated and synchronised manner, so that the data fed at one point percolates and
activates all subsequent chain of related process/stages automatically at the place of the
transaction and at all other connected points and is available at points, where a reference
to it is essential.

Options, Considerations & Choices

100% computerisation when possible and worth while, is commendable. But small rural
offices need not be connected. Even in bigger branches only frequented and repeated
process may be computerised. If a branch normally handles only two guarantees being
Issued per month, it may not advisable to maintain a package for this. It is more prudent
to manually carry out such small processes. In short computerisation should be
considered from the point of cost vs. benefit analysis.

Remote branches which are not connected with other offices may carry on with stand-
alone system and forward data to regional office through computer floppies. The
integration of the data of these offices with the total system will be carried out at the
Regional offices.

Basically the package should provide for the following features though these may be
designed individually by way of separate packages for different purposes/places.

i. Mutual integration or Data synchronisation - Each transaction will be inputted

only once at the point of preparation of the voucher. All subsequent processes like
maintaining cash book, posting personal ledgers, preparing day book, posting in
general Ledger and subsidiary general Ledgers will be automated.
ii. Distinct package for each function, so that different branches can configure
software systems according to their specific needs.
iii. Data Integrity - It should be ensured that the accuracy of the data maintained is
beyond question.
iv. Access control - Only authorised persons will be allowed to access particular data
at each point. This process is automated through User IDs and Passwords.
v. Total security of data, and protection while transmission over the line. Scope for
Unauthorised tampering of data or access to data while in transmission to be
eliminated.
vi. It should be possible for each data entry to be identified in terms of the operator
who inputted the same and the supervisor, who checked and approved the same.
In particular it is very important in respect of debit or credit entries made to
customers' accounts.

Another important consideration is ensuring a smooth transition from manual to

computerised process at to be carried out at several distributed centres handling &
involving huge data-flow and stored databases. The Indian example was to computerise
exhaustively at head office and administrative offices at the initial stage, and to start
computerisation of branches selectively on stand-along machines, along with training the
operating staff properly. At the beginning it is customary to operate on parallel process
for a few weeks, when both manual and electronic systems will be maintained.

Organising Computerisation of Banking Operations - Preliminary Steps

Start with building an in-house infrastructure at the Corporate level of the Bank. Create a
department or Division for planning/executing computerisation of operations and allied
matters under charge of a qualified System Manager. Also creating the training
infrastructure for training batches of staff in the use of computer applications. After
creating the infrastructure at the head office, the process should be repeated at the Zonal
Offices.

Bigger banks operating in All-India level have considered it prudent to start their R & D
Centre in addition to creating training institution.

Start planning computerisation of key operations attended at head office and zonal
offices. Simultaneously arrange for membership of SWIFT and INFINET and extend the
facility to key branches in the first instance. Bring pay roll processing and inter-branch
reconciliation under computerisation, followed by consolidation of financial accounts on
the basis of weekly statements from the branches. Regional office/zonal office will
process the statements received from the branches under their jurisdiction and these
would be further consolidated at Head Office.

While entrusting the contracts to leading IT Firms, negotiate for joint ownership of IPR
rights for the products. This will enable the bank to get copies of the system analysis and
system design reports and also a copy of the source code. The bank will be in a position
for minor updation of the programs whenever needed, without reference to the IT
Company. The contract with the IT Company should include provision for getting an user
manual and also a maintenance manual, along with the other literature. All these
documents should be placed in fire-proof safes.

The next stage is to acquire the hardware needed. By the time INFINET facility is
secured link head office with Zonal offices/Regional offices and large/very large
branches. Computerisation of individual departments/divisions of Head office, Zonal and
regional offices can be taken, along with introduction of stand alone machines for
computerisation of key operations at select branches, that attract considerable daily turn-
over. At this stage the training infrastructure should be strengthened and further
decentralised.

Inter-connect key branches through bank's independent Network mutually and with
regional, Zonal and Head offices. Branch computerisation is key to the success of
electronic banking and it is to be planned meticulously. The following functions of the
branch needs to be computerised in distinct packages, with mutual synchronisation.

Now you come to the important stage of full computerisation of the branches with
automated links with Head office. The bank by this time has gained good experience in
the working of the systems at Head office, Zonal office and Regional office. Steps to be
followed in this direction are discussed in the next page

Designing a System of Computerisation for a Commercial Bank - Steps for

Implementation at Individual Bank Level

Branch Computerisation

We have seen the significant role played by Reserve Bank of India in ushering the era
technology upgradation of banking in India. But for the efficient computerised service to
reach the customer, the initiatives rests with the individual banks. They have to
computerise the critical, but recurring functions of head office, zonal and other
administrative offices, effect connectivity of the branches mutually with head
office/administrative office, and finally computerise internal operations of the branches.
With this task does not end, since customners have to be provided anytime and any place
banking service, as also 24 hours a day and seven days a week banking service.
ATMs have to be set up and credit card service introduced, along with provision of e-
banking or Internet-banking to the customers. How to plan and execute this momentous
task over vast number of branches geographically spread representing varying size, and
type of functions? A broad outline of considerations that should weigh in designing such
a system are provided here.

The software for branch computerisation should provide for core modules representing
the common features of all branches with special add-ons for specific branches handling
additional/special functions. The module should provide for both operation on the stand-
alone compouters loading department-wise/function-wise packages or for integrated
functioning on the network system. It should be a multi user product enabling different
persons operating the same package for a particular function, or each person using
different packages. The basic core modules should cover the general ledger, transaction
processing, security access and authorisation, customer information, and customer
services covering each and every banking service provided to the customer (either credit
or deposit). Services provided at specific branches like foreign exchange transactions and
letters of credit can be optionally provided by way of add-ons. It should provide for
generation of MIS reports, and for capturing and retrieval of specimen signatures of
customers whenever needed for comparison.

1. Computerisation of In-house accounts: This should start with computerised

generation of vouchers from control records, followed by automation of other
process, like cash book, transfer scroll, day book, General Ledger, subsidiary
General Ledger, sectional ledgers etc. The data input will be done only at the
stage of vouching. All other process will be automated.
2. As it is computerisation has not significantly come to the level of customer
service, but accuracy and speed in maintenance of basic records improves the
overall efficiency. However functional services have already been computerised
in these branches with stand alone P.Cs.
3. These services should now be upgraded to full computerisation setting up a single
connected network, which should also be connected with the controlling office
RO or ZO as the case may. The program should include automatic generation of
MIS and control returns and such returns for each branch should be possible to be
generated directly at the controlling office. When this stage is completed we may
state that we have completed computerisation of back-office functions.
Introduction of Internet Banking

Internet banking is used in our country only by selected members of the educated
customers. This is because that despite India being one of leading IT service providers in
the world, there is a huge digital divide in our country. Percentage of P.C. using
population is very small. Hence the branches where this facility should be introduced
should be carefully selected.

Next consideration that should weigh is the implementation of security protection.

Internet banking is prone to computer crimes and computer frauds, as discussed earlier in
the chapter on computer crimes, a full-proof security system should be provided that
protects the Bank from attempts of vile hackers on the one hand and also the secrecy of
customers data.

There are two class of customers that would avail e-banking service. Individual
customers and corporate customers. In India a variety of Internet Banking service to both
types of customers are provided by Citibank, HSBC and ICICI Banks. The service brings
anytime anywhere banking to the doorsteps of the customers and against one-time initial
investment, recurring expenses would be minimal.

How Internet has Changed Banking and Financial Services to Organise,

Manage Their Employees and Structure Themselves to
Effectively Control their Activities - Part: 1

Banks and Financial Institutions are service-providing organisations. They serve very
large number clients spread all over the country. These institutions provide service
through a network of branches and cater to the needs of their customers in different areas
with personalised service. Traditionally they were all operating by manually processing
of data, applying "pen & ink" as tools and recording data in several ledgers, books and
registers. They were depending on newspaper and other media publicity for reaching their
customers whenever any important message on a mass coverage had to be conveyed.
Manual service was cumbersome, slow and tardy. Customers had to wait in queue before
the counters extending these services to secure their turn to be attended by the dealing
staff. They had to fill up multiple forms and other printed stationery needed by the
service provider and had to remain at the premises of these Institutions for a lengthy
duration to complete their transactions.

Similarly transactions between sister branches of the same institution and the data
transmission to the head office and other controlling offices, if any, were all done
conventionally through manual process. The system was slow and tardy. It was costly, as
the banks and other institutions had to engage a large array of clerical and supervisory
manpower to carry out and later to check and re-check the accuracy of manual tasks.
Despite these lengthy steps, errors in calculations and wrong data copied or incorporated
went undetected and posed a serious problem to reconcile the accounts at fixed intervals.
The developments in information technology, the advent of the personal computer and
networking technology in the Eighties brought about partial relief. Initially the job at each
seat was computerised by stand alone personal computers. This reduced errors in
calculations and other types of data. Customers were provided error free service and were
supplied printed account statements. The enormous expansion in banking and financial
institutions in the eighties could not have withstood operational breakdown but for this
timely innovation in the work system. Still extensive manpower employment could not
be dispensed with. Overcrowding in the counters of the banking and financial institutions
continued.

It is in this context during the last decade that Internet and the concept of e-commerce
entered the scenario of global banking and financial institutions. Simultaneously
sweeping structural and functional changes were overtaking the International banking and
financial market. These are described hereunder.

Growing deregulation in national financial markets and the revolution in

telecommunication and data processing technologies resulted in the better integration of
financial markets in all countries between the domestic financial system and the foreign
banking and non-banking institutions.

The conservative era prohibiting Banks from venturing into any field other than
traditional banking was given away to a liberalized thinking that banks should be
permitted to sell products hither to barred to them like, retail lending, loans against
property and selling products like insurance benefits, mutual funds etc. Thus came the
concept of Universal Banking.

There was consequently an explosion in the growth and turnover of transactions and
number clientele for the banks thanks also to growing international commerce and more
and more nations joining the club of developed and fastly developing nations.

The catalytic agents that enabled all these metamorphosis in banking and financial
services were the advent of the fourth generation personal computers, development of
Internet and networking technology as also the advancement in telecommunication
facilities. Global players like Citibank and GE Capital are now able to reach vast number
of clientele spread geographically in different areas through limited branches they have
set up, by skillfully reaping the benefits in Internet banking and e-commerce. The bank
employee who earlier attended to simple clerical processing and kept outside the realm of
business policy and business planning, now has turned out to be a knowledge worker, no
longer bored with monotonous repetitive figure-calculations and duplication of records.
Productivity of employees improved by leaps and bounds and along with that the
compensation package. What is Internet and how this had facilitated all the changes?

Internet is a network of networks. It is not a single network, but a global interconnected

network of networks providing free exchange of information. It implies the most
pragmatic use of information technology as medium of universal communication. It has
brought unprecedented changes in society. Spanning the entire globe the Net has
redefined the methods of communication, work, study, education, interaction,
entertainment, health, trade and commerce. It provides interesting services like e-mail, e-
commerce, file retrieval and other Internet tools. The influence of Internet on every
aspect of our life is immense. It has revolutionalised our perception and has made us all a
part of one single "global village". It has brought about the value of knowledge and
intellectual capital as prime assets of multinational corporate business houses in the new
Information Age.

The World Wide Web, which is a part of the Net, is a collection of web pages. It contains
information that can be a combination of text, pictures and hyperlinks. The increasing
popularity of the Net is on account of the World Wide Web. The web allows easy
navigational facility. Clicking on a link can lead us to our destination. Web pages contain
multimedia applications including sound files. Web pages allow user interaction, and
subsequent data processing after user intervention and inputting his command or request.
It processes such information/request and flashes back appropriate response to the user on
the screen.

The versatile facilities and opportunities provided by the Internet and World Wide Web
led to the development of electronic commerce. This became possible when the Internet
transformed from the original system of providing static web pages, into interactive two-
way medium thanks to advancement in software technology. Electronic Commerce is a
system, which includes transactions that center on buying and selling goods and services
to directly generate revenue. Electronic commerce builds on the advantages and
structures of traditional commerce by adding the flexibility offered by electronic
networks. E-commerce helps conduct of traditional commerce through new ways of
transferring and processing information, since it is information, which is the heart of
commercial activity.

E-banking and electronically providing financial services are branches of electronic-

commerce. The primary problem faced by both service providers and seekers through the
electronic media at the earlier stages was to ensure security, integrity of the transmitted &
stored data, secrecy and to prevent unscrupulous hackers interfering and manipulating
transactions. They could intercept messages from the electronic media, and get access to
sensitive data like "passwords" and credit card numbers and thereafter cause extensive
hacking of the web-sites. Extensive cases of "computer-crimes" and computer-frauds"
happened at the earlier stage.

But every necessity serves as the mother of new innovation and invention. The problem
was quickly tackled by software engineers developing new devices like Site Security
Firewalls, Filtering Routers, Secured Socket layer, 128-bit encryption environment,
Verisign Digital Certification etc. A firewall is a dedicated system designed to provide a
layer of security between corporate systems and the public Internet. Incoming network
connections can be (selectively or totally) prohibited, making it possible for users to dial
out but impossible for others to dial in. A router can filter packets of information based on
predefined rules. Secured Socket Layer or SSL protocol provides browsers and web-
servers with three important security services - encryption, certificates and message
integrity. Integrity is the mathematical way of checking if the message received by the
browser or server has been tampered with. Encryption solves the risk of unauthorised
persons reading the user's data as it travels around the net. The encrypted data is
scrambled so that unauthorised persons do not understand it even if they access the data.
In electronic transactions the user can encrypt a digest with a private key to create a
digital signature. These innovations cleared the barriers for the fast development of all
facets of electronic commerce.

Internet and World Wide Web came to be extensively used in banking transactions in a
number of ways. This has provided immense benefit to the customers, ensured total
accuracy of transactions. The concept providing services to the customers for 24 hours
per day and 7 days per week (any time, any where banking) became possible and further
without the customer visiting the bank, but remaining at his own place before his desk-
top. Development of specialised software suited for use by banks and financial
institutions became prized options and many new products came into usage. In particular
banks and financial institutions have benefited on three broad areas as under:-

• Hoisting their web site on the word wide web to publish their corporate image on
the global level and furnish detailed information about the products, services they
offer, as also the terms and conditions thereof. If today one wants to know about
some service offered by American Express or Citibank or Standard Chartered
Bank, he need not have to visit these institutions or seek information over the
phone, he can simply surf to their respective web pages on the Internet and in case
he desires to know some additional particulars over and above what has been
stated in the site, he can get the same through e-mail

Total elimination of manual processing of date in terms of internal routine like

inter-branch reconciliation, monthly salary processing, posting and finalisation of
financial accounts and annual statements consolidating the transactions distributed
at several centres etc. led to labour productivity by leaps and bounds. The tasks
earlier handled by 10000 workers can now be turned out by a mere 500 to a
maximum of 1000 workers. All that the human worker has to do is to input the
primary data from control records to generate vouchers. All subsequent processes
are automated.

• Selling products to individual customers (B2C commerce) by banks, insurance

companies, stockbrokers, mutual-funds etc
• Selling products to Corporate Customers, which may be broadly characterised as
B2B Commerce.

The World Wide Web provided a most convenient means for universal communications.
Banks and Financial Institutions hoisted their web-sites on the web and able to provide
information about their profile, about the key persons in the management, about their
products and services, and rules and terms of service etc. Through this means the
interaction with the clientele is total. No length of newspaper advertisements or other
media publicity can surpass this mode of information transmission, since the sites are
indexed through search directories and even a person who have no inking about the
particular Bank or Institution will be made to visualise the data, when he searches on the
appropriate subject. Thus the web serves as a constant means to introduce the
organisation concerned throughout the entire globe.

A vast organisation employing thousands of persons and operating with a geographical

spread develops enormous internal routine and administrative systems and procedures. At
a single point much of this can be computerised, but the task of inter-linking data of
different geographical units is achieved by linking the network of different
branches/geographical units through an Intranet. An Intranet is a wide area network and
works on the same methodology as the Internet, but it is restricted to specific users or
Institutions and external access is not allowed. The head office or administrative offices
are thus linked with the systems of the branches through Intranet. In this process MIS
returns for any branch can be directly compiled at the administrative office or Head
office. This also solves the recurring problem of reconciliation of inter-branch accounts.

How Internet has Changed Banking and Financial Services to Organise,

Manage Their Employees and Structure Themselves to
Effectively Control their Activities - Part: 2

Here is a sample of a few types of services typically being advertised by leading banks on
their web-sites.

Corporate Internet Banking (CIB), facilitates banking from your desk. At the click of a
mouse you can access your accounts at our Bank and also keep track of your accounts at
our various branches.

Online Banking features and benefits?

• Account Information:
Real time balance information and summary of day's transaction.
• Fund Transfers:
Manage your Supply-Chain network, effectively by using our online fund transfer
mechanism. You can effect fund transfer on a real time basis across the bank
locations.
• Request:
Make a banking request online
• Account Information
: The complete database that the bank has about your company is available to you
at your terminal. It provides you:
o Current balance:
in your account on real-time basis
o Day's transactions:
in the account
o Details of cash credit limit, drawing power, amount utilised, etc
 • Downloading of account statements:
as an excel or text file. The statements can be integrated with your ERP system for
auto-reconciliation.
• Fund Transfers:
Manage your Supply-Chain network, effectively by using our online fund transfer
mechanism. You can effect fund transfer on a real time basis across the bank
locations. The product facilitates :
o One-to-one fund transfer:
between two linked account
o Bulk fund transfers.:
In bulk fund transfers, you upload a flat file containing payment/collection
information. Our systems take care of processing the entire file and once
the file is processed you can integrate the processed file to your ERP for
auto reconciliation.

The real life situation of user-wise limits and multilevel signatories can be mapped in the
net-based fund transfer module too. You can specify user-wise cap for funds transfer and
the number of approvals needed for each fund transfer. The fund transfer will not take
place unless the required number of signatories has approved it.

With a Power of Attorney from your dealers, you can link the dealer's accounts to your
account in order to have an online fund transfer, saving you time and money involved
with cheque collection systems. Alternatively, the dealer can credit your account through
this channel. Similarly, you could also effect vendor and other payments online.

Customers can also submit the following requests online :

• Registration for account statements by email either

daily/weekly/fortnightly/monthly basis
• Stop payment of cheque
• Cheque book replenishment
• Demand Draft/Pay-order
• Opening of fixed deposit account
• Opening of Letter of credit

How does Corporate Internet Banking work?

A registered user enters his Corporate Id, Used Id and password for accessing the facility.
He can view all the accounts across all the Bank's locations online and as well effect fund
transfers on real time basis within the Bank network. The fund transfers are stored in his
database at the Bank and are available to him later to integrate with his MIS.

The Security Features Embedded in the Software

Through full-proof devices total security is ensured so that hacking is not possible at the
site. Precautions in terms of firewalls, data encryption, digital certification can be used so
that no malicious or unauthenticated person is able to access the customers account.
Additional features such as digital signatures, etc can also be set up. Other features
include a safe password that only the particular customer or the authorised persons in the
customer's organization will know, and even the Bank employees will not have access to
the customer's password. There will be no memory caches allowed on the navigator so
that after the customer logs out another person will not be able to access by pressing the
"Back" button on the navigator. Also there is a time out for the screens. If the screen is
not used for 5 minutes, it automatically logs the viewer out from the site.

Benefits that the Customer Gets

The company does not have to spend anything extra to avail such facilities. All it requires
is an Internet connectivity. The product enables the company to pro-actively manage its
cash flows, ease reconciliation efforts as all the MIS is available at the click of the mouse.

Can the Customer Integrate the System with his Own ERP?

The customer can download the account statements either as a text file or as an excel file.
The bank can help him in integrating the account statements and bulk payment files with
his ERP system. The Bank may charge a nominal fee depending upon the nature of work
involved.

Bill Payment through Electronic Banking

Internet has thus ushered the concept of any time and anywhere banking. To the
individual the onerous task of visiting several places to settle his service bills like
telephone, water, electricity etc. can be overcome through the electronic Bill Pay service
provided by the bank. He can pay his regular monthly bills (telephone, electricity, mobile
phone, insurance etc.) right from his desktop. No more missed deadlines, no more loss of
interest - He can schedule his bills in advance, and thus avoid missing the bill deadlines
as well as earn extra interest on his money.

The Electronic Shopping Mall

The customer can also make his shopping payment through the Bank's secure website-so
that he can shop online without any security worries, as the bank can provide online real
time shopping mail services through partner shopping sites.

Effecting Personal Investments through Electronic Banking?

The bank's website can also allow the customer to invest in shares, mutual funds and
other financial products.

Trading in shares
Cash Trading:
This is a delivery based trading system, which is generally done with the intention of
taking delivery of shares or monies.

Margin Trading:
Customer can also do an intra-settlement trading normally up to 4 times his available
funds, wherein he can take long buy/ short sell positions in stocks with the intention of
squaring off the position within the same settlement cycle.

Spot Trading::
When looking at an immediate liquidity option, 'Cash on Spot' may work the best for
him. On selling shares through "cash on spot", money is credited to his bank a/c the same
evening & not on the exchange payout date. This money can then be withdrawn from any
of the Bank's ATMs.

The customer can also trade directly at the recognised stock exchanges of the country
through his bank.

Investing in Mutual funds

Electronic banking also brings the customer the same convenience while investing in
Mutual funds - Hassle free and Paperless Investing. He can invest in mutual funds
without the hassles of filling application forms or any other paperwork. He needs to
provide no signatures or proof of identity for investing.

Once he places a request for investing in a particular fund, there are no manual processes
involved. His bank funds are automatically debited or credited while simultaneously
crediting or debiting his unit holdings.

TRADE IN DERIVATIVES

FUTURES:
Through electronic banking the customer can also trade in index and stock futures on the
approved stock exchange. In futures trading, he takes buy/sell positions in index or
stock(s) contracts having a longer contract period of up to 3 months.

OPTIONS:
An option is a contract, which gives the buyer the right to buy or sell shares at a specific
price, on or before a specific date. For this, the buyer has to pay to the seller some money,
which is called premium. There is no obligation on the buyer to complete the transaction
if the price is not favorable to him.

To take the buy/sell position on index/stock options, he has to place certain %-age of
order value as margin. With options trading, he can leverage on his trading limit by taking
buy/sell positions much more than what he could have taken in cash segment.
IPOs Online

The customer could also invest in Initial Public Offers (IPOs) online without going
through the hassles of filling ANY application form/ paperwork. Get in-depth analyses of
new IPOs issues (Initial Public Offerings) which are about to hit the market and analysis
on these. IPO calendar, recent IPO listings, prospectus/offer documents, and IPO analysis
are few of the features, which help a customer to keep on top of the IPO markets.

There can be no end to the variety of services that can be provided through the electronic
channel by banks and financial institutions. Every Institution is trying constantly to
innovate and offer new products to woo the customer. The benefit to the customer on
account of the Internet is that he is able to know at a time the types of facilities being
provided by different Institutions and he is able to make the best choice suited for his
needs.

The benefit to the employee is equally amazing. From being earlier a dumb worker filling
up forms and copy from books, he is now a regular service provider and one who directly
cares for the customer. Earlier he was dealing with particular process, but today he
handles customer's demands, which are functions for the bank/financial institution. In
turn the knowledge resources required of him has grown and he is able to secure the same
through better training and other organisational development programmes like organising
work groups and functional teams, where persons with different skills and qualifications
pool their knowledge and carry out high-tech services and operations.

Project on Internet Banking - Reportt of RBI Working Group

Formation of The Working Group & its Terms of Reference

With the popularity of PCs, easy access to Internet and World Wide Web (WWW),
Internet is increasingly used by banks as a channel for receiving instructions and
delivering their products and services to their customers. This form of banking is
generally referred to as Internet Banking, although the range of products and services
offered by different banks vary widely both in their content and sophistication.

Different Levels at Which Internet could be Used in Banking Services

Broadly, the levels of banking services offered through INTERNET can be categorized in
to three types:

i. The Basic Level Service is the banks’ websites which disseminate information on
different products and services offered to customers and members of public in
general. It may receive and reply to customers’ queries through e-mail
ii. In the next level are Simple Transactional Websites which allow customers to
submit their instructions, applications for different services, queries on their
 account balances, etc, but do not permit any fund-based transactions on their
accounts,
iii. The third level of Internet banking services are offered by Fully Transactional
Websites which allow the customers to operate on their accounts for transfer of
funds, payment of different bills, subscribing to other products of the bank and to
transact purchase and sale of securities, etc. The above forms of Internet banking
services are offered by traditional banks, as an additional method of serving the
customer or by new banks, who deliver banking services primarily through
Internet or other electronic delivery channels as the value added services. Some of
these banks are known as ‘virtual’ banks or ‘Internet-only’ banks and may not
have any physical presence in a country despite offering different banking
services

From the perspective of banking products and services being offered through Internet,
Internet banking is nothing more than traditional banking services delivered through an
electronic communication backbone, viz, Internet. But, in the process it has thrown open
issues which have ramifications beyond what a new delivery channel would normally
envisage and, hence, has compelled regulators world over to take note of this emerging
channel. Some of the distinctive features of i-banking are:

• It removes the traditional geographical barriers as it could reach out to customers

of different countries / legal jurisdiction. This has raised the question of
jurisdiction of law / supervisory system to which such transactions should be
subjected,
• It has added a new dimension to different kinds of risks traditionally associated
with banking, heightening some of them and throwing new risk control
challenges,
• Security of banking transactions, validity of electronic contract, customers’
privacy, etc., which have all along been concerns of both bankers and supervisors
have assumed different dimensions given that Internet is a public domain, not
subject to control by any single authority or group of users
• It poses a strategic risk of loss of business to those banks who do not respond in
time, to this new technology, being the efficient and cost effective delivery
mechanism of banking services
• A new form of competition has emerged both from the existing players and new
players of the market who are not strictly banks.

The Regulatory and Supervisory concerns in i-banking arise mainly out of the distinctive
features outlined above. These concerns can be broadly addressed under three broad
categories, viz.

i. Legal and regulatory issue

ii. Security and technology issues and
iii. Supervisory and operational issues
Legal issues cover those relating to the jurisdiction of law, validity of electronic contract
including the question of repudiation, gaps in the legal / regulatory environment for
electronic commerce. On the question of jurisdiction the issue is whether to apply the law
of the area where access to Internet has been made or where the transaction has finally
taken place. Allied to this is the question where the income has been generated and who
should tax such income. There are still no definite answers to these issues.

Security of i-banking transactions is one of the most important areas of concerns to the
regulators. Security issues include questions of adopting internationally accepted state-of-
the art minimum technology standards for access control, encryption / decryption
( minimum key length etc), firewalls, verification of digital signature, Public Key
Infrastructure (PKI) etc. The regulator is equally concerned about the security policy for
the banking industry, security awareness and education

The supervisory and operational issues include risk control measures, advance warning
system, Information technology audit and re-engineering of operational procedures. The
regulator would also be concerned with whether the nature of products and services
offered are within the regulatory framework and whether the transactions do not
camouflage money-laundering operations.

The world over, central bankers and regulators have been addressing themselves to meet
the new challenges thrown open by this form of banking. Several studies have pointed to
the fact that the cost of delivery of banking service through Internet is several times less
than the traditional delivery methods. This alone is enough reason for banks to flock to
Internet and to deliver more and more of their services through Internet and as soon as
possible. Not adopting this new technology in time has the risk of banks getting edged
out of competition. In such a scenario, the thrust of regulatory thinking has been to ensure
that while the banks remain efficient and cost effective, they must be aware of the risks
involved and have proper built-in safeguards, machinery and systems to manage the
emerging risks. It is not enough for banks to have systems in place, but the systems must
be constantly upgraded to changing and well-tested technologies, which is a much bigger
challenge. The other aspect is to provide conducive regulatory environment for orderly
growth of such form of banking. Central Banks of many countries have put in place broad
regulatory framework for i-banking

In India, too i-banking has taken roots. A number of banks have set up banking portals
allowing their customers to access facilities like obtaining information, querying on their
accounts, etc. Soon, still higher level of online services will be made available. Other
banks will sooner than later, take to Internet banking.

In the above background Reserve Bank of India constituted a Working Group to examine
different issues relating to i-banking and recommend technology, security, legal standards
and operational standards keeping in view the international best practices. The Group is
headed by the Chief General Manager–in–Charge of the Department of Information
Technology and comprised experts from the fields of banking regulation and supervision,
commercial banking, law and technology. The Bank also constituted an Operational
Group under its Executive Director comprising officers from different disciplines in the
bank, who would guide implementation of the recommendations.

The Working Group, as its terms of reference, was to examine different aspects of
Internet banking from regulatory and supervisory perspective and recommend
appropriate standards for adoption in India, particularly with reference to the following:

1. Risks to the organization and banking system, associated with Internet banking
and methods of adopting International best practices for managing such risks.
2. Identifying gaps in supervisory and legal framework with reference to the existing
banking and financial regulations, IT regulations, tax laws, depositor protection,
consumer protection, criminal laws, money laundering and other cross border
issues and suggesting improvements in them.
3. Identifying international best practices on operational and internal control issues,
and suggesting suitable ways for adopting the same in India.
4. Recommending minimum technology and security standards, in conformity with
international standards and addressing issues like system vulnerability, digital
signature ,information system audit etc.
5. Clearing and settlement arrangement for electronic banking and electronic money
transfer; linkages between i-banking and e-commerce
6. Any other matter, which the Working Group may think as of relevance to Internet
banking in India

The first meeting of the Working Group was held on July 19, 2000. The Group held that
i-banking did not mean any basic change in the nature of banking and the associated risks
and returns. All the same, being a public domain and a highly cost effective delivery
channel, it does impact both the dimension and magnitude of traditional banking risks. In
fact, it adds new kinds of risk to banking. Some of the concerns of the Regulatory
Authority in i-banking relate to technology standards including the level of security and
uncertainties of legal jurisdiction etc. Its cost effective character provides opportunities
for efficient delivery of banking services and higher profitability and a threat to those
who fail to harness it.

The Group decided to focus on above three major areas, where supervisory attention was
needed. Accordingly, three sub-groups were formed for looking into three specific areas

i. technology and security aspects,

ii. legal aspects and
iii. regulatory and supervisory issues.

The Working Group had a number of deliberations. The views of the Group were
crystallized in its report, which cover the following by way of its contents:

i. The basic structure of Internet and its characteristics

 ii. International experience in i-banking, particularly with reference to USA, United
Kingdom and other Scandinavian countries, who are pioneers in this form of
banking.
iii. The Indian Scenario with reference to I-Banking.
iv. different types of risks associated with banking in general and i-banking in
particular. Emphasis is given on normal risks associated with banking which gets
accentuated when the services are delivered through Internet. Risks relating to
money laundering and other cross border transactions are discussed .
v. Technology and security standards are discussed with emphasis onpolicy issues
rather than on products and technical tools.
vi. The legal environment in which i-banking transactions are carried out is an
important regulatory concern. The group has identified gaps in the existing
framework and has suggesed changes required.
vii. Operational aspects like internal control, early detection system, IT audit,
technical manpower, etc are also discussedalong with addressing the impact of i-
banking on clearing and settlement arrangements.
viii. The specific recommendations of the group were given at the end of the report.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - a New Medium

Internet – its basic structure and topology

Internet is a vast network of individual computers and computer networks connected to

and communicate with each other using the same communication protocol – TCP/IP
(Transmission Control Protocol / Internet Protocol). When two or more computers are
connected a network is created; connecting two or more networks create ‘inter-network’
or Internet. The Internet, as commonly understood, is the largest example of such a
system. Internet is often and aptly described as ‘Information Superhighway’, a means to
reach innumerable potential destinations. The destination can be any one of the connected
networks and host computers.

Internet has evolved to its present state out of a US Department of Defence project
ARPANet (Advanced Research Project Administration Network), developed in the late
1960s and early 1970s as an experiment in wide area networking. A major perceived
advantage of ARPANet was that the network would continue to operate even if a segment
of it is lost or destroyed since its operation did not depend on operation of any single
computer. Though originally designed as a defence network, over the years it was used
predominantly in areas of scientific research and communication. By the 1980s, it moved
out of Pentagon’s control and more independent networks from US and outside got
connected to it. In 1986, the US National Science Foundation (NSF) established a
national network based on ARPA protocol using commercial telephone lines for
connectivity. The NSFNet was accessible by a much larger scientific community,
commercial networks and general users and the number of host computers grew rapidly.
Eventually, NSFNet became the framework of today’s Internet. ARPANet was officially
decommissioned in 1990.

It has become possible for innumerable computers operating on different platforms to

communicate with each other over Internet because they adopt the same communication
protocol, viz, TCP/IP. The latter, which stands for ‘Transmission Control Protocol /
Internet Protocol’, is a set of rules which define how computers communicate with each
other. In order to access Internet one must have an account in a host computer, set up by
any one of the ISPs (Internet Service Providers). The accounts can be SLIP (Serial Line
Internet Protocol) or PPP (Point to Point Protocol) account. These accounts allow
creating temporary TCP/IP sessions with the host, thereby allowing the computer to join
the Internet and directly establish communication with any other computer in the Internet.
Through this type of connection, the client computer does not merely act as a remote
terminal of the host, but can run whatever programs are available on the web. It can also
run several programs simultaneously, subject to limitations of speed and memory of the
client computer and modem. TCP/IP protocol uses a unique addressing scheme through
which each computer on the network is identified.

TCP / IP protocol is insecure because data packets flowing through TCP / IP networks are
not normally encrypted. Thus, any one who interrupts communication between two
machines will have a clear view of the data, passwords and the like. This has been
addressed through Secured Socket Layer(SSL), a Transport Layer Security (TLS) system
which involves an encrypted session between the client browser and the web server.

FTP or File Transfer Protocol is a mechanism for transferring files between computers on
the Internet. It is possible to transfer a file to and from a computer (ftp site) without
having an account in that machine. Any organization intending to make available to
public its documents would normally set up a ftp site from which any one can access the
documents for download. Certain ftp sites are available to validated users with an account
ID and password.

e-mail: The most common and basic use of Internet is the exchange of e-mail (electronic
mail). It is an extremely powerful and revolutionary result of Internet, which has
facilitated almost instantaneous communication with people in any part of the globe.
With enhancements like attachment of documents, audio, video and voice mail, this
segment of Internet is fast expanding as the most used communication medium for the
whole world. Many websites offer e-mail as a free facility to individuals. Many
corporates have interfaced their private networks with Internet in order to make their e-
mail accessible from outside their corporate network.

World Wide Web (WWW)

Internet encompasses any electronic communication between computers using TCP/IP

protocol, such as e-mail, file transfers etc. WWW is a segment of Internet, which uses
Hyper Text Markup Language (HTML) to link together files containing text, rich text,
sound, graphics, video etc. and offers a very convenient means of navigating through the
net. It uses hypertext transfer protocol (HTTP) for communication between computers.
Web documents, which are referred to as pages, can contain links to other related
documents and so on, in a tree like structure. The person browsing one document can
access any other linked page. The web documents and the web browsers which are the
application programs to access them, are designed to be platform independent. Thus any
web document can be accessed irrespective of the platform of the computer accessing the
document and that of the host computer. The programming capabilities and platform
independence of Java and Java applets have further enriched the web. The ‘point and
click’ method of browsing is extremely simple for any lay user of the net. In fact, the
introduction of web since early 1990 has made Internet an extremely popular medium
and its use in business has been enhanced dramatically.

The next in the HTML genre is the Extensible Markup Language (XML), which allows
automated two-way information flow between data stores and browser screens. XML
documents provide both the raw content of data and the data structure and is projected by
its proponents as taking the web technology beyond the limits of HTML

Wireless Application Protocol (WAP):

WAP is the latest industry standard which provides wireless access to Internet through
handheld devices like a cellular telephone. This is an open standard promoted by WAP
forum and has been adopted by world’s all major handset manufacturers. WAP is
supplemented by Wireless Application Environment (WAE), which provides industry
wise standard for developing applications and services for wireless communication
networks. This is based on WWW technology and provides for application for small
screens, with interactive capabilities and adequate security. Wireless Transaction Protocol
(WTP), which is the equivalent of TCP, sets the communication rules and Wireless
Transport Layer Security (WTLS) provides the required security by encrypting all the
session data. WAP is set to revolutionize the commercial use of net.

Security

One of the biggest attractions of Internet as an electronic medium is its openness and
freedom. It is a public domain and there is no restriction on who can use it as long as one
adheres to its technical parameters. This has also given rise to concerns over the security
of data and information transfer and privacy. These concerns are common to any network
including closed user group networks. But over the Internet, the dimensions of risk are
larger while the control measures are relatively fewer. These issues are discussed in detail
in Chapter–5 and Chapter–6 of the report. It will be sufficient to say here that the key
components of such concern are, (i) authentication, viz., assurance of identity of the
person in a deal, (ii) authorization, viz., a party doing a transaction is authorized to do so,
(iii) the privacy or confidentiality of data, information relating to any deal, (iv) data
integrity, viz., assurance that the data has not been altered and (v) non repudiation, viz., a
party to the deal can not deny that it originated the communication or data.

E-Commerce
Even though started as network primarily for use by researchers in defence and scientific
community, with the introduction of WWW in early 1990s, use of Internet for commerce
has grown tremendously. E-commerce involves individuals and business organizations
exchanging business information and instructions over electronic media using computers,
telephones and other telecommunication equipments. Such form of doing business has
been in existence ever since electronic mode of data / information exchange was
developed, but its scope was limited only as a medium of exchange of information
between entities with a pre-established contractual relationship. However, Internet has
changed the approach to e-commerce; it is no longer the same business with an additional
channel for information exchange, but one with new strategy and models.

A business model generally focuses on -

i. where the business operates, that is, the market, the competitors and the customers
ii. what it sells, that is, its products and services
iii. the channels of distribution, that is, the medium for sale and distribution of its
products an
iv. the sources of revenue and expenditure and how these are affected.

Internet has influenced all the four components of business model and thus has come to
influence the business strategy in a profound way. The size of the market has grown
enormously as technically, one can access the products and services from any part of the
world. So does the potential competition. The methods of reaching out to customers,
receiving the response and offering services have a new, simpler and efficient alternative,
now, that is, Internet. The cost of advertisement, offer and delivery of services through
Internet has reduced considerably, forcing most companies to rework their strategies to
remain in competition.

A research note by Paul Timmers of European commission had identified eleven business
models, which have been commercially implemented. These are e-shop, e-procurement,
e-auction, e-mall, Third-party market place, Virtual communities, Value chain service
providers, Value chain integrators, Collaboration platforms and Information brokers. He
classified business models along two dimensions, i.e, degree of innovation and extent of
integration of functions. The innovation ranged from the electronic version of a
traditional way of doing business (e-shop) to more innovative ways by offering functions
that did not exist before. The second dimension, i.e, extent of integration ranges from a
single function business model (like e-shop) to fully integrated functionality (value chain
integrator). In the top end of the graph are models, which cannot be implemented in a
traditional way and are critically dependent upon information technology and creating
value from information flow. Business models, in between these two limits are a
combination of both dimensions in different degrees and have some degree of analogy in
traditional firms.

There are two types of e-commerce ventures in operation: the old brick and mortar
companies, who have adopted electronic medium, particularly Internet, to enhance their
existing products and services, and / or to offer new products and services and the pure e-
ventures who have no visible physical presence. This difference has wider ramifications
than mere visibility when it comes to issues like customer’s trust, brand equity, ability to
service the customers, adopting new business culture and cost. These aspects of e-
commerce will be touched upon in the following discussions.

Another way of classifying the e-commerce is by the targeted counterpart of a business,

viz, whether the counterpart is a final consumer or another business in the distribution
chain. Accordingly, the two broad categories are: Business-to-Consumer (B2C) and
Business-to-Business (B2B).

Business-to-Consumers (B2C):

In the B2C category are included single e-shops, shopping malls, e-broking, e-auction, e-
banking, service providers like travel related services, financial services etc., education,
entertainment and any other form of business targeted at the final consumer. Some of the
features, opportunities and concerns common to this category of business irrespective of
the business segment, are the following.

Opportunities

Internet provides an ever-growing market both in terms of number of potential customers

and geographical reach. Technological development has made access to Internet both
cheaper and faster. More and more people across the globe are accessing the net either
through PCs or other devices. The purchasing power and need for quality service of this
segment of consumers are considerable. Anybody accessing Internet is a potential
customer irrespective of his or her location. Thus, any business targeting final consumers
cannot ignore the business potential of Internet.

Internet offers a unique opportunity to register business presence in a global market. Its
effectiveness in disseminating information about one’s business at a relatively cost
effective manner is tremendous. Time sensitive information can be updated faster than
any other media. A properly designed website can convey a more accurate and focussed
image of a product or service than any other media. Use of multimedia capabilities, i.e.,
sound, picture, movies etc., has made Internet as an ideal medium for information
dissemination. However, help of other media is necessary to draw the potential customers
to the web site.

The quality of service is a key feature of any e-commerce venture. The ability to sell
one’s product at anytime and anywhere to the satisfaction of customers is essential for e-
business to succeed. Internet offers such opportunity, since the business presence is not
restricted by time zone and geographical limitations. Replying to customers’ queries
through e-mail, setting up (Frequently Asked Questions) FAQ pages for anticipated
queries, offering interactive help line, accepting customers’ complaints online 24 hours a
day and attending to the same, etc. are some of the features of e-business which enhance
the quality of service to the customers. It is of crucial importance for an e-venture to
realize that just as it is easier to approach a customer through Internet, it is equally easy to
lose him. The customer has the same facility to move over to another site.

Cost is an important issue in an e-venture. It is generally accepted that the cost of

overhead, servicing and distribution, etc. through Internet is less compared to the
traditional way of doing business. Although the magnitude of difference varies depending
on the type of business and the estimates made, but there is unanimity that Internet
provides a substantial cost advantage and this, in fact, is one of the major driving forces
for more number of traditional business adopting to e-commerce and pure e-commerce
firms to sprout.

Cost of communication through WWW is the least compared to any other medium. Many
a time one’s presence in the web may bring in international enquiries, which the business
might not have targeted. The business should have proper plans to address such
opportunities

Concerns

There are a number of obstacles, which an e-commerce venture needs to overcome. Trust
of customers in a web venture is an important concern. Many customers hesitate to deal
with a web venture as they are not sure of the type of products and services they will
receive. This is particularly true in a B2C venture like e-shop, e-mall or e-auction site.
Traditional business with well established brands and goodwill and having a physical
presence face less resistance from customers in this regard than a pure e-venture.

Many B2C ventures have ultimately to deliver a product or service in physical form to
the customer for a deal contracted through Internet. This needs proper logistics, an
efficient distribution network, and control over quality of product or service delivered.
These issues are not technology related and any let off in this area can drive the customer
away to the competitor or from e-commerce.

The privacy of information on the customer’s preferences, credit card and bank account
details etc. and customers’ faith in a system where such privacy is stated to be ensured are
important issues to be addressed. These are mainly technological issues, but human factor
is important both at the business and at the customers’ end and also in building the trust in
the system.

Security of a transaction, authenticity of a deal, identification of a customer etc. are

important technological and systems issues, which are major sources of concern to e-
commerce. Equally important are questions of repudiation of a deal, applicability of law,
jurisdiction of tax laws etc. These are important to all forms of e-commerce, whether
B2C or B2B and all segments of business, i.e, manufacturing, services and finance and
are addressed in different chapters of this report.

Accessibility to Internet by the consumers is an important issue in B2C domain. This is

particularly so in countries like India where penetration of PCs and other devices to
households for access to Internet is minimal. Also important are availability of bandwidth
and other infrastructure for faster and easier access. Considering that e-commerce aims at
global market, deficiencies of these kinds in the developing world are no longer concerns
confined to these areas, but are global e-commerce concerns.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - a New Medium Part: II

Business to Business (B2B)

As opposed to B2C e-commerce, in B2B domain, the parties to a deal are at different
points of the product supply chain. Typically, in a B2B type domain, a company, its
suppliers, dealers and bankers to all the parties are networked to finalize and settle all
aspects of a deal, online. Perhaps, only the goods in different stages of processing
physically move from the supplier to the dealer. This scenario can be extended to include
the shipper, providers of different ancillary services, IT service provider and the payment
system gateway, etc., depending on the degree of sophistication of the available systems.

Another important feature of a B2B domain, as distinct from B2C, is that business
information / data is integrated to the back office systems of parties to a deal and the state
of straight through processing (STP) or near STP is achieved. This is a very significant
aspect of B2B model of e-commerce, which results in improved profits through lowering
cost and reducing inventories.

For example, in a B2B environment, typically, the back office system of a company
controls inventory requirement with reference to the order book position updated
regularly on the basis of orders received from dealers through Internet. At the optimum
level of inventory it raises a purchase order with the supplier, whose system in turn,
processes the order and confirms supply. Buyer company’s system issues debit
instructions on its bank account for payment to the supplier. The buyer’s bank credits
seller’s bank with the cost of sale though a payment gateway or through RTGS system.
Similar series of transaction processes are also initiated between the company and its
dealers and their respective banks. Once e-commerce relationship is established between
the firms, the transactions of the type shown above can be processed with minimal human
intervention and on 24 hours a day and 7 day a week basis.

New business models are emerging in B2B domain. There are portals which offer a
meeting ground to buyers and sellers of different products in supply chain, more like a
buyer-seller meet in international business. This has enabled relatively smaller companies
to enter the global market. Banks in the portal offer financial services for deals settled
through the portal.

Technology and networking are important constituents of a B2B type of business domain.
Earlier, only large firms could have access to such technology and they used private
networks with interface to each other for information flow and transaction processing. A
major concern used to be compatibility of EDI platforms across different B2B partners.
Internet with WWW and other standard technology have offered opportunity to relatively
smaller and medium sized firms to integrate their operations in B2B model and take
advantage of the benefits it offers. It has also led to standardization of software platforms.

Other new forms of business models in B2B domain are Application Service Providers
(ASP) and Service Integrators. ASPs offer application software online to e-commerce
companies who pay for the same according to the use without owning it. Often entire
back office processing is taken care of by ASPs and other service integrators. However,
the utility of such service providers will to a large extent depend on the business strategy
of the e-venture.

The concerns of B2B e-commerce are similar to those of B2C, discussed earlier. The
security issues are more pronounced because of high value transfers taking place through
the net. So also are the issues relating to privacy of information, law, tax repudiation etc.
The other issues of importance to a B2B firm are the choice of appropriate technology,
the issue of build or outsource, maintenance and training of personnel, etc., since they
involve large investments and are critical to success.

Several studies have attempted to assess the relative importance of B2B and B2C
business domains. There is wide difference in estimates of volume of business transacted
over Internet and its components under B2C and B2B. However, most studies agree that
volume of transactions in B2B domain far exceeds that in B2C. This is expected result.
There is also a growing opinion that the future of e-business lies in B2B domain, as
compared to B2C. This has several reasons some of which are already discussed earlier,
like low penetration of PCs to households, low bandwidth availability etc., in a large part
of the world. The success of B2C ventures depends to a large extent on the shopping
habits of people in different parts of the world. A survey sponsored jointly by
Confederation of Indian Industries and Infrastructure Leasing and Financial Services on
e-commerce in India in 1999 made the following observations. 62% of PC owners and
75% of PC non-owners but who have access to Internet would not buy through the net, as
they were not sure of the product offered. The same study estimated the size of B2B
business in India by the year 2001 to be varying between Rs. 250 billion to Rs. 500
billion. In a recent study done by Arthur Anderson, it has been estimated that 84% of total
e-business revenue is generated from B2B segment and the growth prospects in this
segment are substantial. It has estimated the revenues to be anywhere between US $ 2.7
trillion to over US $ 7 trillion within the next three years (2003).

The Growth of Internet Banking and common products

Internet Banking is a product of e-commerce in the field of banking and financial

services. In what can be described as B2C domain for banking industry, Internet Banking
offers different online services like balance enquiry, requests for cheque books, recording
stop-payment instructions, balance transfer instructions, account opening and other forms
of traditional banking services. Mostly, these are traditional services offered through
Internet as a new delivery channel. Banks are also offering payment services on behalf of
their customers who shop in different e-shops, e-malls etc. Further, different banks have
different levels of such services offered, starting from level-1 where only information is
disseminated through Internet to level-3 where online transactions are put through. These
aspects have been dealt with in brief in the introductory chapter (title page) and again
detailed products and services are discussed in subsequent articles. Hence, in the
following paragraphs I-banking concerns in B2B domain are discussed.

Considering the volume of business e-commerce, particularly in B2B domain, has been
generating, it is natural that banking would position itself in an intermediary role in
settling the transactions and offering other trade related services. This is true both in
respect of B2C and B2B domains. Besides, the traditional role of financial intermediary
and settlement agents, banks have also exploited new opportunities offered by Internet in
the fields of integrated service providers, payment gateway services, etc. However, the
process is still evolving and banks are repositioning themselves based on new emerging
e-commerce business models.

In B2B scenario, a new form of e-commerce market place is emerging where various
players in the production and distribution chain are positioning themselves and are
achieving a kind of integration in business information flow and processing (STP or near
STP) leading to efficiencies in the entire supply chain and across industries. Banks are
positioning themselves in such a market in order to be a part of the financial settlements
arising out of transactions of this market and providing wholesale financial services. This
needs integration of business information flow not only across the players in the supply
chain, but with the banks as well.

With the integration of business information flow and higher degree of transparency, the
banks and other financial services institutions have lost some of the information
advantage they used to enjoy and factor in to pricing of their products. However, such
institutions have the advantage of long standing relationships, goodwill and brand, which
are important sources of assurance in a virtual market. Banks are in fact, converting this
goodwill into a business component in e-commerce scenario in providing settlement and
other financial services. Some banks have also moved to providing digital certificates for
transactions through e-markets

Banks’ strategies in B2B market are responses to different business models emerging in
e-commerce. A recent study by Arthur Andersen shows that banks and financial service
institutions generally adopt one of three business models to respond to e-business
challenges. In the first place, they treat it as an extension of existing business without any
significant changes other than procedural and what technology demands. The second
strategy takes the same approach as the first but introduces structural changes to the
underlying business. In the third approach banks launch e-business platform as a different
business from the existing core business and as a different brand of product. There is no
definite answer as to which approach is appropriate. Perhaps it depends on the type of
market the bank is operating, its existing competencies and the legal and regulatory
environment. It is, however, sure that e-banking is evolving beyond the traditional limits
of banking and many new products / services are likely to emerge as e-commerce matures

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - International Experience

Global Experirnce - The Gist In a Nutshell

World over, electronic banking is making rapid strides due to evolving

communication technology. Penetration of Internet banking is increasing in
most countries. Wireless Application Protocol (WAP) is an emerging service
which banks worldwide are also offering. The stiff competition in this area
exposes banks to substantial risks. The need is being felt overseas that
transparency and disclosure requirements should be met by the e-banking
community. While existing regulations and legislations applicable to traditional
banking are being extended to banks’ Internet banking and electronic banking
services, it is recognized that Internet security, customer authentication and
other issues such as technology outsourcing pose unique risks. Central Banks
worldwide are addressing such issues with focused attention. Special
legislations and regulations are being framed by the regulators and supervisors
for proper management of the different types of risks posed by these services.
The reliance on outsourcing is an area where overseas regulators and
supervisors are focusing their attention, with banks having to regularly review
and test business continuity, recovery and incidence response plans in order to
maintain their reputation of trust. Consumer protection and data privacy are
areas which assume great significance when banking transactions are carried
over a medium as insecure as the Internet. Many countries are looking at
special consumer protection/data privacy legislation for an e-commerce
environment. The presence of ‘virtual banks’ or ‘Internet only banks’ and the
licensing requirements required for such entities are also areas which are being
looked into by overseas authorities. There has also been co-operation among
the regulators and supervisors to meet the challenges of ‘virtual’ cross border e-
banking, particularly in the light of the possibility of increased money
laundering activities through the medium of Internet. Internet banking is
universally seen as a welcome development, and efforts are being made to put
in place systems to manage and control the risks involved without restricting
this service.

Internet banking has presented regulators and supervisors worldwide with new
challenges. The Internet, by its very nature, reaches across borders and is, for this reason,
engaging the attention of regulatory and supervisory authorities all over the world. The
experience of various countries, as far as Internet banking is concerned, is outlined in this
and the next articles.

USA

In the USA, the number of thrift institutions and commercial banks with transactional
web-sites is 1275 or 12% of all banks and thrifts. Approximately 78% of all commercial
banks with more than $5 billion in assets, 43% of banks with $500 million to $5 billion in
assets, and 10% of banks under $ 500 million in assets have transactional web-sites. Of
the 1275-thrifts/commercial banks offering transactional Internet banking, 7 could be
considered ‘virtual banks’. 10 traditional banks have established Internet branches or
divisions that operate under a unique brand name. Several new business process and
technological advances such as Electronic Bill Presentment and Payment (EBPP),
handheld access devices such as Personal Digital Assistants (PDAs), Internet Telephone
and Wireless Communication channels and phones are emerging in the US market. A few
banks have become Internet Service Providers (ISPs), and banks may become Internet
portal sites and online service providers in the near future. Reliance on third party
vendors is a common feature of electronic banking ventures of all sizes and degrees of
sophistication in the US. Currently, payments made over the Internet are almost
exclusively conducted through existing payment instruments and networks. For retail e-
commerce in the US, most payments made over the Internet are currently completed with
credit cards and are cleared and settled through existing credit card clearing and
settlement systems. Efforts are under way to make it easier to use debit cards, cheques
and the Automated Clearing House (ACH) to make payments over the Internet. Versions
of e-money, smart cards, e-cheques and other innovations are being experimented with to
support retail payments over the Internet.

There is a matrix of legislation and regulations within the US that specifically codifies the
use of and rights associated with the Internet and e-commerce in general, and electronic
banking and Internet banking activities in particular. Federal and state laws, regulations,
and court decisions, and self-regulation among industries groups provide the legal and
operational framework for Internet commerce and banking in the USA. The international
model laws promulgated by the United Nations Commission on International Trade Law
(UNCITRAL) provide the guidance to the member nations on the necessity for revising
existing legal structures to accommodate electronic transactions. Some important laws of
general application to commercial activity over the Internet within the US are the
Uniform Commercial Code (UCC), the Uniform Electronic Transaction Act (UETA)
(which provides that electronic documents and contracts should not be disqualified as
legal documents particularly because of their electronic form), various state laws and
regulations on digital signatures and national encryption standards and export regulations.
Many states already have digital signature and other legislation to enable e-commerce.
State laws in this area differ but the trend is towards creating legislation, which is
technology neutral. The E-sign Act, a new US law that took effect on October 1, 2000,
validates contracts concluded by electronic signatures and equates them to those signed
with ink on paper. Under the Act, electronic signatures using touch-tones (on a
telephone), retinal scans and voice recognition are also acceptable ways of entering into
agreements. The E-sign Act takes a technological neutral approach and does not favor the
use of any particular technology to validate an electronic document. The Act however
does not address issues relating to which US state’s laws would govern an online
transaction and which state’s code would have jurisdiction over a dispute.

The Gramm - Leach – Bliley (GLB) Act has substantially eased restrictions on the ability
of banks to provide other financial services. It has established new rules for the protection
of consumer financial information. The Inter-agency Statement on Electronic Financial
Services and Consumer Compliance (July 1998) addresses consumer protection laws and
describe how they can be met in the context of electronic delivery. In addition, the
Federal Reserve Board has issued a request for comment on revised proposals that would
permit electronic delivery of federally mandated disclosures under the five consumer
protection regulations of the FRB (Regulations B, DD, E, M & Z).

The Interpretive Ruling of the Office of the Comptroller of Currency (OCC) authorizes a
national bank to ‘perform, provide or deliver through electronic means and facilities any
activity, functions, product or service that it is otherwise authorized to perform, provide
or deliver’. The concerns of the Federal Reserve are limited to ensuring that Internet
banking and other electronic banking services are implemented with proper attention to
security, the safety and soundness of the bank, and the protection of the banks’ customers.
Currently, all banks, whether they are ‘Internet only’ or traditional banks must apply for a
charter according to existing guidelines. The five federal agencies - Federal Deposit
Insurance Corporation (FDIC), Federal Reserve System (FRS), Office of the Comptroller
of Currency (OCC), Office of Thrift Supervision (OTS) and the National Credit Union
Association (NCUA) supervise more than 20,000 institutions. In addition, each state has
a supervisory agency for the banks that it charters. Most financial institutions in the US
face no prerequisite conditions or notification requirements for an existing banking
institution to begin electronic banking activities. For these banks, supervisors gather
information on electronic banking during routine annual examination. Newly chartered
Internet banks are subject to the standard chartering procedures. For thrift institutions,
however, OTS has instituted a 30-day advance notification requirement for thrift
institutions that plan to establish a transactional web site. A few State banking
departments have instituted a similar notification requirement for transactional Internet
banking web sites.

Supervisory policy, licensing, legal requirements and consumer protection are generally
similar for electronic banking and traditional banking activities. Internet banks are also
subject to the same rules, regulations and policy statement as traditional banks. However,
in response to the risks posed by electronic banking, federal banking agencies have begun
to issue supervisory guidelines and examination procedures for examiners who review
and inspect electronic banking applications. Although specialized banking procedures are
used in some areas of Internet banking activities, the existing information technology
examination framework that addresses access controls, information security, business
recovery and other risk areas generally continues to be applicable. To assist supervisors in
monitoring the expansion of Internet banking, state chartered and national banks have
been required since June 1999 to report their websites’ ‘Uniform Resource Locators’
(URL) in the Quarterly Reports of Financial Condition that are submitted to supervisors.
In addition, examiners review the potential for reputational risk associated with web-site
information or activities, the potential impact of various Internet strategies on an
institution’s financial condition, and the need to monitor and manage outsourcing
relationships. To address these risks, the OCC is developing specific guidance for
establishing ‘Internet only’ banks within the US. The Banking Industry Technology
Secretariat recently announced the formation of a security lab to test and validate the
security of software and hardware used by banking organizations. If a bank is relying on
a third party provider, it is accepted that it should be able to understand the provided
information security programme to effectively evaluate the security system’s ability to
protect bank and customer data. Examination of service providers’ operations, where
necessary, is conducted by one or more Federal banking agencies pursuant to the Bank
Services Company Act, solely to support supervision of banking organizations

The Federal Financial Institutions Examination Council (FFIEC) introduced the

Information Systems (IS) rating system to be used by federal and state regulators to
assess uniformly financial and service provider risks introduced by information
technology and to identify those institutions and service providers requiring special
supervisor attention. The FFIEC has recently renamed the system as Uniform Rating
System for IT (URSIT), which has enhanced the audit function. The importance of risk
management procedure has been reinforced under the revised system

Some characteristics of e-money products such as their relative lack of physical bulk,
their potential anonymity and the possibility of effecting fast and remote transfers make
them more susceptible than traditional systems to money laundering activities. The OCC
guidelines lay down an effective ‘know your customer’ policy. Federal financial
institutions, regulators, Society for Worldwide Interbank Financial Telecommunications
(SWIFT) and Clearing House Interbank Payment System (CHIPS) have issued statements
encouraging participants to include information on originators and beneficiaries

UK

Most banks in U.K. are offering transactional services through a wider range of channels
including Wireless Application Protocol (WAP), mobile phone and T.V. A number of non-
banks have approached the Financial Services Authority (FSA) about charters for virtual
banks or ‘clicks and mortar’ operations. There is a move towards banks establishing
portals.

The Financial Services Authority (FSA) is neutral on regulations of electronic banks. The
current legislation, viz. the Banking Act 1987 and the Building Societies Act, provides it
with the necessary powers and the current range of supervisory tools. A new legislation,
the Financial Services and Market Bill, offers a significant addition in the form of an
objective requiring the FSA to promote public understanding of the financial system.
There is, therefore, no special regime for electronic banks. A draft Electronic Banking
Guidance for supervisors has, however, been developed. A guide to Bank Policy has also
been published by the FSA which is technology neutral, but specifically covers
outsourcing and fraud. The FSA also maintains bilateral discussions with other national
supervisors and monitors developments in the European Union (EU) including
discussions by the Banking Advisory Committee and Group de Contract. New legislation
on money laundering has been proposed and both the British Bankers Association and the
FSA have issued guidance papers in this regard

The FSA is actively involved in the Basle Committee e-banking group which has
identified authorization, prudential standards, transparency, privacy, money laundering
and cross border provision as issues where there is need for further work. The FSA has
also been supporting the efforts of the G7 Financial Stability Forum, which is exploring
common standards for financial market, which is particularly relevant to the Internet,
which reaches across all borders

The Financial Services and Markets Bill will replace current powers under the 1987
Banking Act giving the FSA statutory authority for consumer protection and promotion of
consumer awareness. Consumer compliance is required to be ensured via desk based and
on site supervision. The FSA has an Authorization and Enforcement Division, which sees
if web sites referred to them are in violation of U.K. laws.

The FSA has issued guidelines on advertising in U.K. by banks for deposits, investments
and other securities, which apply to Internet banking also. The guidelines include an
Appendix on Internet banking. The FSA’s supervisory policy and powers in relation to
breaches in the advertising code (viz. invitation by any authorized person to take a
deposit within U.K., fraudulent inducements to make a deposit, illegal use of banking
names and descriptions, etc.) are the same for Internet banking as they are for
conventional banking. The FSA does not regard a bank authorized overseas, which is
targeting potential depositors in its home market or in third countries as falling within
U.K. regulatory requirements solely by reason of its web site being accessible to Internet
users within the U.K., as the advertisements are not aimed at potential U.K. depositors.

Scandinavia

Swedish and Finnish markets lead the world in terms of Internet penetration and the
range and quality of their online services. Merita Nordbanken (MRB) (now Nordic Bank
Holding, a merger between Finland’s Merita and Nordbanker of Sweden) leads in "log-
ins per month" with 1.2 million Internet customers, and its penetration rate in Finland
(around 45%) is among the highest in the world for a bank of ‘brick and mortar’ origin.
Standinaviska Easkilda Banken (SEB) was Sweden’s first Internet bank, having gone on-
line in December 1996. It has 1,000 corporate clients for its Trading Station – an Internet
based trading mechanism for forex dealing, stock-index futures and Swedish treasury
bills and government bonds. Swedbank, is another large-sized Internet bank. Almost all
of the approximately 150 banks operating in Norway had established "net banks". In
Denmark, the Internet banking service of Den Danske offers funds transfers, bill
payments, etc.
The basic on-line activity is paying bills. Swedbank was the first bank in the world to
introduce Electronic Bill Presentment and Payment (EBPP) and now handles 2 million
bill payment a month. E-shopping is another major Internet banking service. MNB has an
on-line "mall" of, more than 900 shops, which accepts its "Solo" payment system.
Swedbank has a similar system called "Direct". Besides using advanced encryption
technology, the Scandenavian banks have adopted a basic but effective system known as
"challenge response logic", which involves a list of code numbers sent to every online
client and used in sequence, in combination with their password or PIN. This gives each
transaction a unique code, and has so far proved safe. Some banks use even more
sophisticated versions of the same technique. It is not a common practice to use third
party vendors for services.

In Sweden, no formal guidance has been given to examiners by the Sverigesbank on e-

banking. General guidelines apply equally to Internet banking activities. Contractual
regularization between customers and the bank is a concern for regulators and is being
looked into by the authorities

The role of the Bank of Finland (Suomen Parkki) has been, as part of general oversight of
financial markets in Finland, mainly to monitor the ongoing development of Internet
banking without active participation. Numerous issues concerning Internet banking have,
however, been examined by the Bank of Finland

All Internet banking operating from a Norwegian platform are subject to all regular
banking regulations, just as any other bank. As part of the standard regulation, there is
also a specific regulation on the banks’ use of IT. This regulation dates from 1992 when
Internet banking was not the main issue, but it covers all IT systems, including Internet
banking. The regulation secures that banks’ purchase, development, use and phase out of
IT systems is conducted in a safe and controlled manner. An Act relating to Payment
systems defines payment systems as those which are based on standardized terms for
transfer of funds from or between customer accounts in banks/financial undertakings
when the transfer is based on use of payment cards, numeric codes or any other form of
independent user identification. Internet banking is covered by this regulation. The
Banking, Insurance and Securities Commission may order for implementation of
measures to remedy the situation if there is a violation of provisions.

In addition to their national laws, countries in Europe are also expected to implement
European Union (EU) directives. In 1995, the EU passed a Europe-wide Data Protection
Directive aimed at granting individuals greater protection from abuses of their personal
information. It also passed the Telecommunications Directive that prescribes special
protection in relation to telephones, digital TVs, mobile communications, etc. Every EU
country is to have a privacy commissioner to enforce the regulations as they apply within
the EU. The EU directive on electronic signature is also required to be implemented in
national laws.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - International Experience - Other Countries
Australia

Internet Banking in Australia is offered in two forms: web-based and through the
provision of proprietary software. Initial web-based products have focused on personal
banking whereas the provision of proprietary software has been targeted at the
business/corporate sector. Most Australian-owned banks and some foreign subsidiaries of
banks have transactional or interactive web-sites. Online banking services range from
FIs’ websites providing information on financial products to enabling account
management and financial transactions. Customer services offered online include account
monitoring (electronic statements, real-time account balances), account management (bill
payments, funds transfers, applying for products on-line) and financial transactions
(securities trading, foreign currency transactions). Electronic Bill Presentment and
Payment (EBPP) is at an early stage. Features offered in proprietary software products
(enabling business and corporation customers to connect to the financial institutions (via
dial-up/leased line/extranet) include account reporting, improved reconciliation, direct
payments, payroll functionality and funds transfer between accounts held at their own or
other banks. Apart from closed payment systems (involving a single payment-provider),
Internet banking and e-commerce transactions in Australia are conducted using long-
standing payment instruments and are cleared and settled through existing clearing and
settlement system. Banks rely on third party vendors or are involved with outside
providers for a range of products and services including e-banking. Generally, there are
no ‘virtual’ banks licensed to operate in Australia.

The Electronic Transactions Act, 1999 provides certainty about the legal status of
electronic transactions and allows for Australians to use the Internet to provide
Commonwealth Departments and agencies with documents which have the same legal
status as traditional paperwork. The Australian Securities and Investments Commission
(ASIC) is the Australian regulator with responsibility for consumer aspects of banking,
insurance and superannuation and as such, it is responsible for developing policy on
consumer protection issues relating to the Internet and e-commerce. ASIC currently has a
draft proposal to expand the existing Electronic Funds Transfer Code of Conduct (a
voluntary code that deals with transactions initiated using a card and a PIN) to cover all
forms of consumer technologies, including stored value cards and other new electronic
payment products. Australia’s anti-money laundering regulator is the Australian
Transaction Reports and Analysis Centre (AUSTRAC).

Responsibility for prudential supervisory matters lies with the Australian Prudential
Regulation Authority (APRA). APRA does not have any Internet specific legislation,
regulations or policy, and banks are expected to comply with the established legislation
and prudential standards. APRA’s approach to the supervision of e-commerce activities,
like the products and services themselves, is at an early stage and is still evolving.
APRA’s approach is to visit institutions to discuss their Internet banking initiatives.
However, APRA is undertaking a survey of e-commerce activities of all regulated
financial institutions. The growing reliance on third party or outside providers of e-
banking is an area on which APRA is increasingly focusing.
New Zealand

Major banks offer Internet banking service to customers, operate as a division of the bank
rather than as a separate legal entity.

Reserve Bank of New Zealand applies the same approach to the regulation of both
Internet banking activities and traditional banking activities. There are however, banking
supervision regulations that apply only to Internet banking. Supervision is based on
public disclosure of information rather than application of detailed prudential rules. These
disclosure rules apply to Internet banking activity also.

Singapore

The Monetary Authority of Singapore (MAS) has reviewed its current framework for
licensing, and for prudential regulation and supervision of banks, to ensure its relevance
in the light of developments in Internet banking, either as an additional channel or in the
form of a specialized division, or as stand-alone entities (Internet Only Banks), owned
either by existing banks or by new players entering the banking industry. The existing
policy of MAS already allows all banks licensed in Singapore to use the Internet to
provide banking services. MAS is subjecting Internet banking, including IOBs, to the
same prudential standards as traditional banking. It will be granting new licences to
banking groups incorporated in Singapore to set up bank subsidiaries if they wish to
pursue new business models and give them flexibility to decide whether to engage in
Internet banking through a subsidiary or within the bank (where no additional licence is
required). MAS also will be admitting branches of foreign incorporated IOBs within the
existing framework of admission of foreign banks.

As certain types of risk are accentuated in Internet banking, a risk – based supervisory
approach, tailored to individual banks’ circumstances and strategies, is considered more
appropriate by MAS than "one-size-fits-all" regulation. MAS requires public disclosures
of such undertakings, as part of its requirement for all banks and enhance disclosure of
their risk management systems. It is issuing a consultative document on Internet banking
security and technology risk management. In their risk management initiatives for
Internet banking relating to security and technology related risks, banks should (a)
implement appropriate workflow, authenticated process and control procedures
surrounding physical and system access (b) develop, test, implement and maintain
disaster recovery and business contingency plans (c) appoint an independent third party
specialist to assess its security and operations (d) clearly communicate to customers their
policies with reference to rights and responsibilities of the bank and customer,
particularly issues arising from errors in security systems and related procedures. For
liquidity risk, banks, especially IOBs, should establish robust liquidity contingency plans
and appropriate Asset-Liability Management systems. As regards operational risk, banks
should carefully manage outsourcing of operations, and maintain comprehensive audit
trails of all such operations. As far as business risk is concerned, IOBs should maintain
and continually update a detailed system of performance measurement.
MAS encourages financial institutions and industry associations such as the Associations
of Banks in Singapore (ABS) to play a proactive role in educating consumers on benefits
and risks on new financial products and services offered by banks, including Internet
banking services.

Hong Kong

There has been a spate of activity in Internet banking in Hong Kong. Two virtual banks
are being planned. It is estimated that almost 15% of transactions are processed on the
Internet. During the first quarter of 2000, seven banks have begun Internet services.
Banks are participating in strategic alliances for e-commerce ventures and are forming
alliances for Internet banking services delivered through Jetco (a bank consortium
operating an ATM network in Hong Kong). A few banks have launched transactional
mobile phone banking earlier for retail customers.

The Hong Kong Monetary Authority (HKMA) requires that banks must discuss their
business plans and risk management measures before launching a transactional website.
HKMA has the right to carry out inspections of security controls and obtain reports from
the home supervisor, external auditors or experts commissioned to produce reports.
HKMA is developing specific guidance on information security with the guiding
principle that security should be "fit for purpose". HKMA requires that risks in Internet
banking system should be properly controlled. The onus of maintaining adequate systems
of control including those in respect of Internet banking ultimately lies with the
institution itself. Under the Seventh Schedule to the Banking ordinance, one of the
authorization criteria is the requirement to maintain adequate accounting system and
adequate systems control. Banks should continue to acquire state-of-the art technologies
and to keep pace with developments in security measures. The HKMA’s supervisory
approach is to hold discussions with individual institutions who wish to embark on
Internet banking to allow them to demonstrate how they have properly addressed the
security systems before starting to provide such services, particularly in respect of the
following – (i) encryption by industry proven techniques of data accessible by outsiders,
(ii) preventive measures for unauthorized access to the bank’s internal computer systems,
(iii) set of comprehensive security policies and procedures, (iv) reporting to HKMA all
security incidents and adequacy of security measures on a timely basis. At present, it has
not been considered necessary to codify security objectives and requirements into a
guideline. The general security objectives for institutions intending to offer Internet
banking services should have been considered and addressed by such institutions.

HKMA has issued guidelines on ‘Authorization of Virtual Banks’ under Section 16(10) of
the Banking Ordinance under which-

i. the HKMA will not object to the establishment of virtual banks in Hong Kong
provided they can satisfy the same prudential criteria that apply to conventional
banks,
ii. a virtual bank which wishes to carry on banking business in Hong Kong must
maintain a physical presence in Hong Kong;
 iii. a virtual bank must maintain a level of security which is appropriate to the type of
business which it intends to carry out. A copy of report on security of computer
hardware, systems, procedures, controls etc. from a qualified independent expert
should be provided to the HKMA at the time of application,
iv. a virtual bank must put in place appropriate policies, procedures and controls to
meet the risks involved in the business;
v. the virtual bank must set out clearly in the terms and conditions for its service
what are the rights and obligations of its customers
vi. Outsourcing by virtual banks to a third party service provider is allowed, provided
HKMA’s guidelines on outsourcing are complied with. There are principles
applicable to locally incorporated virtual banks and those applicable to overseas-
incorporated virtual banks.

Consumer protection laws in Hong Kong do not apply specifically to e-banking but banks
are expected to ensure that their e-services comply with the relevant laws. The Code of
Banking Practice is being reviewed to incorporate safeguards for customers of e-banking.

Advertising for taking deposits to a location outside Hong Kong is a violation unless
disclosure requirements are met. Consideration is being given as to whether this is not too
onerous in the context of the global nature of the Internet.

Recognising the relevance of Public Key Infrastructure (PKI) in Hong Kong to the
development of Internet banking and other forms of e-commerce, the government of
Hong Kong has invited the Hong Kong Postal Authority to serve as public Certificate
Authority (CA) and to establish the necessary PKI infrastructure. There is no bar,
however, on the private sector setting up CAs to serve the specific needs of individual
networks. There should be cross-references and mutual recognition of digital signatures
among CAs. The Government is also considering whether and, if so, how the legal
framework should be strengthened to provide firm legal basis for electronic transactions
(particularly for digital signatures to ensure non-repudiation of electronic messages and
transactions).

Japan

Banks in Japan are increasingly focusing on e-banking transactions with customers.

Internet banking is an important part of their strategy. While some banks provide services
such as inquiry, settlement, purchase of financial products and loan application, others are
looking at setting up finance portals with non-finance business corporations. Most banks
use outside vendors in addition to in-house services.

The current regulations of the Bank of Japan on physical presence of bank branches are
undergoing modifications to take care of licensing of banks and their branches with no
physical presence. The Report of the Electronic Financial Services Study Group (EFSSG)
has made recommendations regarding the supervision and regulation of electronic
financial services. Financial institutions are required to take sufficient measures for risk
management of service providers and the authorities are required to verify that such
measures have been taken. Providing information about non-financial businesses on a
bank web site is not a violation as long as it does not constitute a business itself.

With respect to consumer protection it is felt that guidance and not regulations should
encourage voluntary efforts of individual institutions in this area. Protection of private
information, however, is becoming a burning issue in Japan both within and outside the
field of e-banking. Japanese banks are currently requested to place disclosure
publications in their offices (branches) by the law. However, ‘Internet Only banks’ are
finding it difficult to satisfy this requirement. The Report of the EFSSG recommends that
financial service providers that operate transactional website should practice online
disclosure through electronic means at the same timing and of equivalent contents as
paper based disclosure. They should also explain the risks and give customers a fair
chance to ask queries. The Government of Japan intends to introduce comprehensive
Data Protection Legislation in the near future.

There are no restrictions or requirements on the use of cryptography. The Ministry of

International Trade and Industry (MITI)’s approval is required to report encryption
technolog

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - The Indian Scenario

The entry of Indian banks into Net Banking

Internet banking, both as a medium of delivery of banking services and as a strategic tool
for business development, has gained wide acceptance internationally and is fast catching
up in India with more and more banks entering the fray. India can be said to be on the
threshold of a major banking revolution with net banking having already been unveiled. A
recent questionnaire to which 46 banks responded, has revealed that at present, 11 banks
in India are providing Internet banking services at different levels, 22 banks propose to
offer Internet banking in near future while the remaining 13 banks have no immediate
plans to offer such facility.

At present, the total Internet users in the country are estimated at 9 lakh. However, this is
expected to grow exponentially to 90 lakh by 2003. Only about 1% of Internet users did
banking online in 1998. This increased to 16.7% in March 2000 * The growth potential is,
therefore, immense. Further incentives provided by banks would dissuade customers
from visiting physical branches, and thus get ‘hooked’ to the convenience of arm-chair
banking. The facility of accessing their accounts from anywhere in the world by using a
home computer with Internet connection, is particularly fascinating to Non-Resident
Indians and High Networth Individuals having multiple bank accounts.

Costs of banking service through the Internet form a fraction of costs through
conventional methods. Rough estimates assume teller cost at Re.1 per transaction, ATM
transaction cost at 45 paise, phone banking at 35 paise, debit cards at 20 paise and
Internet banking at 10 paise per transaction. The cost-conscious banks in the country have
therefore actively considered use of the Internet as a channel for providing services. Fully
computerized banks, with better management of their customer base are in a stronger
position to cross-sell their products through this channel.
*
Source : India Research May 29 , 2000 , Kotak Securities.

Products and Services Offered

Banks in India are at different stages of the web-enabled banking cycle. Initially, a bank,
which is not having a web site, allows its customer to communicate with it through an e-
mail address; communication is limited to a small number of branches and offices which
have access to this e-mail account. As yet, many scheduled commercial banks in India are
still in the first stage of Internet banking operations.

With gradual adoption of Information Technology, the bank puts up a web-site that
provides general information on the banks, its location, services available e.g. loan and
deposits products, application forms for downloading and e-mail option for enquiries and
feedback. It is largely a marketing or advertising tool. For example, Vijaya Bank provides
information on its web-site about its NRI and other services. Customers are required to
fill in applications on the Net and can later receive loans or other products requested for
at their local branch. A few banks provide the customer to enquire into his demat account
(securities/shares) holding details, transaction details and status of instructions given by
him. These web sites still do not allow online transactions for their customers.

Some of the banks permit customers to interact with them and transact electronically with
them. Such services include request for opening of accounts, requisition for cheque
books, stop payment of cheques, viewing and printing statements of accounts, movement
of funds between accounts within the same bank, querying on status of requests,
instructions for opening of Letters of Credit and Bank Guarantees etc. These services are
being initiated by banks like ICICI Bank Ltd., HDFC Bank Ltd. Citibank, Global Trust
Bank Ltd., UTI Bank Ltd., Bank of Madura Ltd., Federal Bank Ltd. etc. Recent entrants
in Internet banking are Allahabad Bank (for its corporate customers through its ‘Allnet’
service) and Bank of Punjab Ltd. State Bank of India has announced that it will be
providing such services soon. Certain banks like ICICI Bank Ltd., have gone a step
further within the transactional stage of Internet banking by allowing transfer of funds by
an account holder to any other account holder of the bank

Some of the more aggressive players in this area such as ICICI Bank Ltd., HDFC Bank
Ltd., UTI Bank Ltd., Citibank, Global Trust Bank Ltd. and Bank of Punjab Ltd. offer the
facility of receipt, review and payment of bills on-line. These banks have tied up with a
number of utility companies. The ‘Infinity’ service of ICICI Bank Ltd. also allows online
real time shopping mall payments to be made by customers. HDFC Bank Ltd. has made
e-shopping online and real time with the launch of its payment gateway. It has tied up
with a number of portals to offer business-to-consumer (B2C) e-commerce transactions.
The first online real time e-commerce credit card transaction in the country was carried
out on the Easy3shoppe.com shopping mall, enabled by HDFC Bank Ltd. on a VISA
card.

Banks like ICICI Bank Ltd., HDFC Bank Ltd. etc. are thus looking to position
themselves as one stop financial shops. These banks have tied up with computer training
companies, computer manufacturers, Internet Services Providers and portals for
expanding their Net banking services, and widening their customer base. ICICI Bank Ltd.
has set up a web based joint venture for on-line distribution of its retail banking products
and services on the Internet, in collaboration with Satyam Infoway, a private ISP through
a portal named as icicisify.com. The customer base of www.satyamonline.com portal is
also available to the bank. Setting up of Internet kiosks and permeation through the cable
television route to widen customer base are other priority areas in the agendas of the
more aggressive players. Centurion Bank Ltd. has taken up equity stake in the
teauction.com portal, which aims to bring together buyers, sellers, registered brokers,
suppliers and associations in the tea market and substitute their physical presence at the
auctions announced.

Banks providing Internet banking services have been entering into agreements with their
customers setting out the terms and conditions of the services. The terms and conditions
include information on the access through user-id and secret password, minimum balance
and charges, authority to the bank for carrying out transactions performed through the
service, liability of the user and the bank, disclosure of personal information for statistical
analysis and credit scoring also, non-transferability of the facility, notices and
termination, etc

The race for market supremacy is compelling banks in India to adopt the latest
technology on the Internet in a bid to capture new markets and customers. HDFC Bank
Ltd. with its ‘Freedom- the e-Age Saving Account’ Service, Citibank with ‘Suvidha’ and
ICICI Bank Ltd. with its ‘Mobile Commerce’ service have tied up with cellphone
operators to offer Mobile Banking to their customers. Global Trust Bank Ltd. has also
announced that it has tied up with cellular operators to launch mobile banking services.
Under Mobile Banking services, customers can scan their accounts to seek balance and
payments status or instruct banks to issue cheques, pay bills or deliver statements of
accounts. It is estimated that by 2003, cellular phones will have become the premier
Internet access device, outselling personal computers. Mobile banking will further
minimise the need to visit a bank branch.

The Future Scenario

Compared to banks abroad, Indian banks offering online services still have a long way to
go. For online banking to reach a critical mass, there has to be sufficient number of users
and the sufficient infrastructure in place. The ‘Infinity’ product of ICICI Bank Ltd. gets
only about 30,000 hits per month, with around 3,000 transactions taking place on the Net
per month through this service. Though various security options like line encryption,
branch connection encryption, firewalls, digital certificates, automatic sign-offs, random
pop-ups and disaster recovery sites are in place or are being looked at, there is as yet no
Certification Authority in India offering Public Key Infrastructure which is absolutely
necessary for online banking. The customer can only be assured of a secured conduit for
its online activities if an authority certifying digital signatures is in place. The
communication bandwidth available today in India is also not enough to meet the needs
of high priority services like online banking and trading. Banks offering online facilities
need to have an effective disaster recovery plan along with comprehensive risk
management measures. Banks offering online facilities also need to calculate their
downtime losses, because even a few minutes of downtime in a week could mean
substantial losses. Some banks even today do not have uninterrupted power supply unit or
systems to take care of prolonged power breakdown. Proper encryption of data and
effective use of passwords are also matters that leave a lot to be desired. Systems and
processes have to be put in place to ensure that errors do not take place.

Users of Internet Banking Services are required to fill up the application forms online and
send a copy of the same by mail or fax to the bank. A contractual agreement is entered
into by the customer with the bank for using the Internet banking services. In this way,
personal data in the applications forms is being held by the bank providing the service.
The contract details are often one-sided, with the bank having the absolute discretion to
amend or supplement any of the terms at any time. For these reasons domestic customers
for whom other access points such as ATMs, telebanking, personal contact, etc. are
available, are often hesitant to use the Internet banking services offered by Indian banks.
Internet Banking, as an additional delivery channel, may, therefore, be attractive /
appealing as a value added service to domestic customers. Non-resident Indians for
whom it is expensive and time consuming to access their bank accounts maintained in
India find net banking very convenient and useful.

The Internet is in the public domain whereby geographical boundaries are eliminated.
Cyber crimes are therefore difficult to be identified and controlled. In order to promote
Internet banking services, it is necessary that the proper legal infrastructure is in place.
Government has introduced the Information Technology Bill, which has already been
notified in October 2000. Section 72 of the Information Technology Act, 2000 casts an
obligation of confidentiality against disclosure of any electronic record, register,
correspondence and information, except for certain purposes and violation of this
provision is a criminal offence. Notification for appointment of Authorities to certify
digital signatures, ensuring confidentiality of data, is likely to be issued in the coming
months. Comprehensive enactments like the Electronic Funds Transfer Act in U.K. and
data protection rules and regulations in the developed countries are in place abroad to
prevent unauthorized access to data, malafide or otherwise, and to protect the individual’s
rights of privacy. The legal issues are, however, being debated in our country and it is
expected that some headway will be made in this respect in the near future.

Notwithstanding the above drawbacks, certain developments taking place at present, and
expected to take place in the near future, would create a conducive environment for
online banking to flourish. For example, Internet usage is expected to grow with cheaper
bandwidth cost. The Department of Telecommunications (DoT) is moving fast to make
available additional bandwidth, with the result that Internet access will become much
faster in the future. This is expected to give a fillip to Internet banking in India.

The proposed setting up of a Credit Information Bureau for collecting and sharing credit
information on borrowers of lending institutions online would give a fillip to electronic
banking. The deadline set by the Chief Vigilance Commissioner for computerisation of
not less than 70 percent of the bank's business by end of January 2001 has also given a
greater thrust to development of banking technology. The recommendations of the
Vasudevan Committee on Technological Upgradation of Banks in India have also been
circulated to banks for implementation. In this background, banks are moving in for
technological upgradation on a large scale. Internet banking is expected to get a boost
from such developments.

Reserve Bank of India has taken the initiative for facilitating real time funds transfer
through the Real Time Gross Settlement (RTGS) System. Under the RTGS system,
transmission, processing and settlements of the instructions will be done on a continuous
basis. Gross settlement in a real time mode eliminates credit and liquidity risks. Any
member of the system will be able to access it through only one specified gateway in
order to ensure rigorous access control measures at the user level. The system will have
various levels of security, viz., Access security, 128 bit cryptography, firewall,
certification etc. Further, Generic Architecture (see fig. 2), both domestic and cross
border, aimed at providing inter-connectivity across banks has been accepted for
implementation by RBI. Following a reference made this year, in the Monetary and
Credit Policy statement of the Governor, banks have been advised to develop domestic
generic model in their computerization plans to ensure seamless integration. The
abovementioned efforts would enable online banking to become more secure and
efficient.

With the process of dematerialisation of shares having gained considerable ground in

recent years, banks have assumed the role of depository participants. In addition to
customers’ deposit accounts, they also maintain demat accounts of their clients. Online
trading in equities is being allowed by SEBI. This is another area which banks are keen to
get into. HDFC Bank Ltd., has tied up with about 25 equity brokerages for enabling third
party transfer of funds and securities through its business-to-business (B2B) portal, ‘e-
Net’. Demat account holders with the bank can receive securities directly from the
brokers’ accounts. The bank has extended its web interface to the software vendors of
National Stock Exchange through a tie-up with NSE.IT – the infotech arm of the
exchange. The bank functions as the payment bank for enabling funds transfer from its
customers’ account to brokers’ accounts. The bank is also setting up a net broking arm,
HDFC Securities, for enabling trading in stocks through the web. The focus on capital
market operations through the web is based on the bank’s strategy on tapping customers
interested in trading in equities through the Internet. Internet banking thus promises to
become a popular delivery channel not only for retail banking products but also for online
securities trading.
An upcoming payment gateway is being developed by ICICI and Global Tele System,
which will enable customers to transfer funds to banks which are part of the project.
Transfer of funds can be made through credit/debit/ smart cards and cheques, with the
central payment switch enabling the transactions. Banks are showing interest in this new
concept, which will facilitate inter-bank funds transfers and other e-commerce
transactions, thus highlighting the role of banks in e-commerce as intermediaries between
buyers and sellers in the whole payment process.

WAP (Wireless Application Protocol) telephony is the merger of mobile telephony with
the Internet. It offers two-way connectivity, unlike Mobile Banking where the customer
communicates to a mailbox answering machine. Users may surf their accounts, download
items and transact a wider range of options through the cellphone screen. WAP may
provide the infrastructure for P2P (person to person) or P2M (person to merchant)
payments. It would be ideal for transactions that do not need any cash backup, such as
online investments. Use of this cutting edge technology could well determine which bank
obtains the largest market share in electronic banking. IDBI Bank Ltd. has recently
launched its WAP- based mobile phone banking services (offering facilities such as
banking enquiry, cheque book request, statements request, details of the bank’s products
etc).

At present, there are only 2.6 phone connections per 100 Indians, against the world
average of 15 connections per 100. The bandwidth capacity available in the country is
only 3.2 gigabits per second, which is around 60% of current demand. Demand for
bandwidth is growing by 350% a year in India. With the help of the latest technology,
Indian networks will be able to handle 40 gigabits of Net traffic per second (as compared
to 10 gigabits per second in Malaysia). Companies like Reliance, Bharti Telecom and the
Tata Group are investing billions of rupees to build fibre optic lines and telecom
infrastructure for data, voice and Internet telephony. The online population has increased
from just 500,000 in 1998 to 5 million in 2000. By 2015, the online population is
expected to reach 70 million. IT services is a $1.5 billion industry in India growing at a
rate of 55% per annum. Keeping in view all the above developments, Internet banking is
likely to grow at a rapid pace and most banks will enter into this area soon. Rapid strides
are already being made in banking technology in India and Internet banking is a
manifestation of this. Every day sees new tie-ups, innovations and strategies being
announced by banks. State Bank of India has recently announced its intention to form an
IT subsidiary. A sea change in banking services is on the cards. It would, however, be
essential to have in place a proper regulatory, supervisory and legal framework,
particularly as regards security of transactions over the Net, for regulators and customers
alike to be comfortable with this form of banking.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - Technology

Contents Description in a Nutshell

 The Internet has provided a new and inexpensive channel for banks to reach
out to their customers. It allows customers to access banks’ facilities round the
clock and 7 days a week. It also allows customers to access these facilities from
remote sites/home etc. However, all these capabilities come with a price. The
highly unregulated Internet provides a less than secure environment for the
banks to interface. The diversity in computer, communication and software
technologies used by the banks vastly increases the challenges facing the online
bankers. In this chapter, an effort has been made to give an overview of the
technologies commonly used in Internet banking.

Computer networking & Internet

The purpose of computer networking is sharing of computing resources and data across
the whole organization and the outside world. Computer Networks can be primarily
divided into two categories based on speed of data transfers and geographical reach. A
Local area network (LAN) connects many servers and workstations within a small
geographical area, such as a floor or a building. Some of the common LAN technologies
are 10 MB Ethernet, 100 MB Ethernet, 1GB Ethernet, Fiber Distributed Data Interface
(FDDI) and Asynchronous Transfer Mode (ATM). The data transfer rates here are very
high. They commonly use broadcast mode of data transfer. The Wide Area Network
(WAN), on the other hand, is designed to carry data over great distances and are generally
point-to-point. Connectivity in WAN set-up is provided by using dial-up modems on the
Public Switched Telephone Network (PSTN) or leased lines, VSAT networks, an
Integrated Services Digital Network (ISDN) or T1 lines, Frame Relay/X.25 (Permanent
Virtual Circuits), Synchronous Optical Network (SONET), or by using Virtual Private
Networks (VPN) which are software-defined dedicated and customized services used to
carry traffic over the Internet. The different topologies, technologies and data
communication protocols have different implications on safety and security of services.

To standardize on communications between systems, the International Organization of

Standards developed the OSI model (the Open System Interconnection Reference Model)
in 1977. The OSI breaks up the communication process into 7 layers and describe the
functions and interfaces of each layer. The important services provided by some of the
layers are mentioned below. It is necessary to have a good understanding of these layers
for developing applications and for deploying firewalls (described later).

1. Application Layer Network Management, File Transfer Protocol, Information

validation, Application-level access security checking.
2. Session Layer: establishing, managing and terminating connections (sessions)
between applications
3. Transport Layer: Reliable transparent transfer of data between end points, end to
end recovery & flow control.
4. Network Layer: Routing, switching, traffic monitoring and congestion control,
control of network connections, logical channels and data flow.
 5. Data Link Layer: Reliable transfer of data across physical link and control of flow
of data from one machine to another.

Protocol: The data transmission protocol suite used for the Internet is known as the
Transmission Control Protocol/Internet Protocol (TCP/IP). The Internet is primarily a
network of networks. The networks in a particular geographical area are connected into a
large regional network. The regional networks are connected via a high speed "back
bone". The data sent from one region to another is first transmitted to a Network Access
Point (NAP) and are then routed over the backbone. Each computer connected to the
Internet is given a unique IP address (such as 142.16.111.84) and a hierarchical domain
name(such as cse.iitb.ernet.in).The Internet can be accessed using various application-
level protocols such as FTP (File Transfer Protocol), Telnet (Remote Terminal Control
Protocol), Simple Mail Transport Protocol (SMTP), Hypertext Transfer Protocol (HTTP).
These protocols run on top of TCP/IP. The most innovative part of the Internet is the
World Wide Web (WWW). The web uses hyperlinks, which allow users to move from
any place on the web to any other place. The web consists of web pages, which are
multimedia pages composed of text, graphics, sound and video. The web pages are made
using Hypertext Markup Language (HTML). The web works on a client-server model in
which the client software, known as the browser, runs on the local machine and the server
software, called the web server, runs on a possibly remote machine. Some of the popular
browsers are Microsoft Internet Explorer and Netscape Navigator.

With the popularity of web, organizations find it beneficial to provide access to their
services through the Internet to its employees and the public. In a typical situation, a
component of the application runs ( as an ‘applet’) within the browser on user’s
workstation. The applet connects to the application (directly using TCP/IP or through
web server usingHTTP protocols) on the organization’s application and database servers.
These servers may be on different computer systems. The web-based applications provide
flexible access from anywhere using the familiar browsers that support graphics and
multimedia. The solutions are also scalable and easy to extend.

Banking Products: Internet Banking applications run on diverse platforms, operating

systems and use different architectures. The product may support centralized (bank-wide)
operations or branch level automation. It may have a distributed, client server or three tier
architecture based on a file system or a DBMS package. Moreover, the product may run
on computer systems of various types ranging from PCs, open (Unix based) systems, to
proprietary main frames. These products allow different levels of access to the customers
and different range of facilities. The products accessible through Internet can be classified
into three types based on the levels of access granted:

Information only systems: General-purpose information like interest rates, branch

locations, product features, FAQs, loan and deposit calculators are provided on the bank’s
web (WWW) site. The sites also allow downloading of application forms. Interactivity is
limited to a simple form of ‘e-mail’. No identification or authentication of customers is
done and there is no interaction between the bank’s production system (where current
data of accounts are kept and transactions are processed) and the customer.
Electronic Information Transfer System: These systems provide customer-specific
information in the form of account balances, transaction details, statement of account etc.
The information is still largely ‘read only’. Identification and authentication of customer
takes place using relatively simple techniques (like passwords). Information is fetched
from the Bank’s production system in either the batch mode or offline. Thus, the bank’s
main application system is not directly accessed.

Fully Transactional System These systems provide bi-directional transaction capabilities.

The bank allows customers to submit transactions on its systems and these directly
update customer accounts. Therefore, security & control system need to be strongest here.

Application Architecture

A computer-based application may be built as a monolithic software, or may be

structured to run on a client–server environment, or even have three or multi-tiered
architecture. A computer application typically separates its 3 main tasks: interactions with
the user, processing of transactions as per the business rules, and the storage of business
data. The three tasks can be viewed as three layers, which may run on the same system
(possibly a large, proprietary computer system), or may be separated on to multiple
computers (across the Internet), leading to three-tier or multi-tier architecture.

These layers can be briefly described as follows:

Presentation Layer: This layer is responsible for managing the front-end devices, which
include browsers on personal computers, Personal Digital Assistants (PDAs), mobile
phones, Internet kiosks, Web TV etc. The presentation layer takes care of user interface
related issues like display details, colour, layout, image etc. It also has important
responsibilities in user authentication and session management activity.

Application layer: It contains the business logic (for processing of data and transactions)
and necessary interfaces to the data layer. It processes requests from the presentation
layer, connects to the data layer, receives and processes the information and passes results
back to the presentation layer. It is responsible for ensuring that all the business rules are
incorporated in the software. The issues of scalability, reliability and performance of the
services to a great extent depend upon the application layer architecture

Data Layer: The data layer uses a database package to store, retrieve and update
application data. The database may be maintained on one or multiple servers. A database
package also supports back-up and recovery of data, as well as logging of all transactions.

Issues in administration of systems and applications: The role of the network and the
database administrator is pivotal in securing the information systems of any organization.
The role extends across various job functions and any laxity in any of the functions
leaves the system open for malicious purposes. A few important functions of the
administrator and how they relate to or impinge on system security are discussed below:
Installation of software: A software (whether system or application) needs to be carefully
installed as per the developer’s instructions. The software system may contain bugs and
security holes, which over a period are fixed through appropriate patches. It is necessary
to know the latest and correct configuration of all software packages. Hackers and
intruders are often aware of these bugs and may exploit known weaknesses in the
software; hence, care should be taken to install only the latest versions of software with
the latest patches. Further, improper installation may lead to degradation of services.
Installation of pirated software is not only illegal and unethical, but may also contain
trojans and viruses, which may compromise system security. In the case of installation of
outsourced software, care should be taken to compare the source code and the executable
code using appropriate tools as unscrupulous developers may leave backdoor traps in the
software and for illegal access and update to the data. In addition, while installing
software care should be taken that only necessary services are enabled on a need to use
basis.

Access controls and user maintenance : An administrator has to create user accounts on
different computer systems, and give various access permissions to the users. Setting
access controls to files, objects and devices reduces intentional and unintentional security
breaches. A bank’s system policy should specify access privileges and controls for the
information stored on the computers. The administrators create needed user groups and
assign users to the appropriate groups. The execution privilege of most system–related
utilities should be limited to system administrators so that users may be prevented from
making system level changes. The write / modify access permissions for all executables
and binary files should be disabled. If possible, all log files should be made "append
only". All sensitive data should be made more secure by using encryption. The system
and database administrators are also responsible for the maintenance of users and the
deletion of inactive users. Proper logs should be maintained of dates of user creation and
validity period of users. There should be a frequent review to identify unnecessary users
and privileges, especially of temporary users such as system maintenance personnel and
system auditors.

Backup, recovery & business continuity: Back-up of data, documentation and software is
an important function of the administrators. Both data and software should be backed up
periodically. The frequency of back up should depend on the recovery needs of the
application. Online / real time systems require frequent backups within a day. The back-
up may be incremental or complete. Automating the back up procedures is preferred to
obviate operator errors and missed back-ups. Recovery and business continuity measures,
based on criticality of the systems, should be in place and a documented plan with the
organization and assignment of responsibilities of the key decision making personnel
should exist. An off-site back up is necessary for recovery from major failures / disasters
to ensure business continuity. Depending on criticality, different technologies based on
back up, hot sites, warm sites or cold sites should be available for business continuity.
The business continuity plan should be frequently tested.

System & network logging: Operating systems, database packages and even business
applications produce a ‘log’ of various tasks performed by them. Most operating systems
keep a log of all user actions. Log files are the primary record of suspicious behavior. Log
files alert the administrator to carry out further investigation in case of suspicious activity
and help in determining the extent of intrusion. Log files can also provide evidence in
case of legal proceedings. The administrator has to select types of information to be
logged, the mechanisms for logging, locations for logging, and locations where the log
files are stored. The information required to be logged should include Login/Logout
information, location and time of failed attempts, changes in status, status of any
resource, changes in system status such as shutdowns, initializations and restart; file
accesses, change to file access control lists, mail logs, modem logs, network access logs,
web server logs, etc. The log files must be protected and archived regularly and securely.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - Security and Privacy Issues

Contents Description in a Nutshell

The Internet has provided a new and inexpensive channel for banks to reach
out to their customers. It allows customers to access banks’ facilities round the
clock and 7 days a week. It also allows customers to access these facilities from
remote sites/home etc. However, all these capabilities come with a price. The
highly unregulated Internet provides a less than secure environment for the
banks to interface. The diversity in computer, communication and software
technologies used by the banks vastly increases the challenges facing the online
bankers. In this and next two articles an attempt has been made to describe
concepts, techniques and technologies related to privacy and security including
the physical security. The banks planning to offer Internet banking should have
explicit policies on security. An outline for a possible framework for security
policy and planning has also been given. Finally, recommendations have been
made for ensuring security in Internet banking..

Security and Privacy Issues

Common Terminology Used & their Definition

Security: Security in Internet banking comprises both the computer and communication
security. The aim of computer security is to preserve computing resources against abuse
and unauthorized use, and to protect data from accidental and deliberate damage,
disclosure and modification. The communication security aims to protect data during the
transmission in computer network and distributed system

Authentication: It is a process of verifying claimed identity of an individual user,

machine, software component or any other entity. For example, an IP Address identifies a
computer system on the Internet, much like a phone number identifies a telephone. It may
be to ensure that unauthorized users do not enter, or for verifying the sources from where
the data are received. It is important because it ensures authorization and accountability.
Authorization means control over the activity of user, whereas accountability allows us to
trace uniquely the action to a specific user. Authentication can be based on password or
network address or on cryptographic technique

Access Control: It is a mechanism to control the access to the system and its facilities by
a given user up to the extent necessary to perform his job function. It provides for the
protection of the system resources against unauthorized access. An access control
mechanism uses the authenticated identities of principals and the information about these
principals to determine and enforce access rights. It goes hand in hand with
authentication. In establishing a link between a bank’s internal network and the Internet,
we may create a number of additional access points into the internal operational system.
In this situation, unauthorized access attempts might be initiated from anywhere.
Unauthorized access causes destruction, alterations, theft of data or funds, compromising
data confidentiality, denial of service etc. Access control may be of discretionary and
mandatory types.

Data Confidentiality: The concept of providing for protection of data from unauthorized
disclosure is called data confidentiality. Due to the open nature of Internet, unless
otherwise protected, all data transfer can be monitored or read by others. Although it is
difficult to monitor a transmission at random, because of numerous paths available,
special programs such as "Sniffers", set up at an opportune location like Web server, can
collect vital information. This may include credit card number, deposits, loans or
password etc. Confidentiality extends beyond data transfer and include any connected
data storage system including network storage systems. Password and other access
control methods help in ensuring data confidentiality.

Data Integrity: It ensures that information cannot be modified in unexpected way. Loss of
data integrity could result from human error, intentional tampering, or even catastrophic
events. Failure to protect the correctness of data may render data useless, or worse,
dangerous. Efforts must be made to ensure the accuracy and soundness of data at all
times. Access control, encryption and digital signatures are the methods to ensure data
integrity

Non-Repudiation Non-Repudiation involves creating proof of the origin or delivery of

data to protect the sender against false denial by the recipient that data has been received
or to protect the recipient against false denial by the sender that the data has been sent. To
ensure that a transaction is enforceable, steps must be taken to prohibit parties from
disputing the validity of, or refusing to acknowledge, legitimate communication or
transaction.

Security Audit Trail: A security audit refers to an independent review and examination of
system's records and activities, in order to test for adequacy of system controls. It ensures
compliance with established policy and operational procedures, to detect breaches in
security, and to recommend any indicated changes in the control, policy and procedures.
Audit Trail refers to data generated by the system, which facilitates a security audit at a
future date.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - Technology

Security and Privacy Issues - Attacks and Compromises

When a bank’s system is connected to the Internet, an attack could originate at any time
from anywhere. Some acceptable level of security must be established before business on
the Internet can be reliably conducted. An attack could be any form like:

• The intruder may gain unauthorized access and nothing more

• The intruder gains access and destroys, corrupt or otherwise alters data.
• The intruder gains access and seizes control partly or wholly, perhaps denying
access to privileged users
• The intruder does not gain access, but instead forges messages from your system
• The intruder does not gain access, but instead implements malicious procedures
that cause the network to fail, reboot, and hang.

Modern security techniques have made cracking very difficult but not impossible. Further
more, if the system is not configured properly or the updated patches are not installed
then hackers may crack the system using security hole. A wide range of information
regarding security hole and their fixes is freely available on the Internet. System
administrator should keep himself updated with this information.

Common cracking attacks include

• E-mail bomb and List linking

• Denial-of-Service
• Sniffer attack
• Utilizing security hole in the system software

E-mail Bomb: This is a harassment tool. A traditional e-mail bomb is simply a series of
message (perhaps thousands) sent to your mailbox. The attacker’s object is to fill the
mailbox with junk

Denial-of-Service (DoS) attacks: DoS attacks can temporarily incapacitate the entire
network(or at least those hosts that rely on TCP/IP). DoS attacks strike at the heart of IP
implementations. Hence they can crop up at any platform, a single DoS attack may well
work on several target operating systems. Many DoS attacks are well known and well
documented. Available fixes must be applied.

Sniffer Attack Sniffers are devices that capture network packets. They are a combination
of hardware and software. Sniffers work by placing the network interface into
promiscuous mode. Under normal circumstances, all machines on the network can "hear"
the traffic passing through, but will only respond to data addressed specifically to it.
Nevertheless, if the machine is in promiscuous mode then it can capture all packets and
frames on the network. Sniffers can capture passwords and other confidential
information. Sniffers are extremely difficult to detect because they are passive programs.
Encrypted session provides a good solution for this. If an attacker sniffs encrypted data, it
will be useless to him. However, not all applications have integrated encryption support.

Holes: A hole is any defect in hardware, software or policy that allows attackers to gain
unauthorized access to your system. The network tools that can have holes are Routers,
Client and Server software, Operating Systems and Firewalls.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - Security (Contd)

Authentication Techniques

As mentioned earlier, authentication is a process to verify the claimed identity. There are
various techniques available for authentication. Password is the most extensively used
method. Most of the financial institutions use passwords along with PIN (Personal
Identification Number) for authentication. Technologies such as tokens, smart cards and
biometrics can be used to strengthen the security structure by requiring the user to
possess something physica

Token technology relies on a separate physical device, which is retained by an individual,

to verify the user’s identity. The token resembles a small hand-held card or calculator and
is used to generate passwords. The device is usually synchronized with security software
in the host computer such as an internal clock or an identical time based mathematical
algorithm. Tokens are well suited for one-time password generation and access control. A
separate PIN is typically required to activate the token.

Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain
an embedded computer chip. The chip includes a processor, operating system, and both
Read Only Memory (ROM) and Random Access Memory (RAM). They can be used to
generate one-time passwords when prompted by a host computer, or to carry
cryptographic keys. A smart card reader is required for their use.

Biometrics involves identification and verification of an individual based on some

physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning.
This technology is advancing rapidly, and offers an alternative means to authenticate a
user

Firewalls
The connection between internal networks and the outside world must be watched and
monitored carefully by a gatekeeper of sorts. Firewalls do this job. Otherwise, there is a
risk of exposing the internal network and systems, often leaving them vulnerable and
compromising the integrity and privacy of data. Firewalls are a component or set of
components that restrict access between a protected network and the outside world (i.e.,
the Internet). They control traffic between outside and inside a network, providing a
single entry point where access control and auditing can be imposed. All firewalls
examine the pieces or packets of data flowing into and out of a network and determine
whether a particular person should be given access inside the network. As a result,
unauthorized computers outside the firewall are prevented from directly accessing the
computers inside the internal network. Broadly, there are three types of firewalls i.e.
Packet filtering firewalls, Proxy servers and stateful inspection firewall.

Packet Filtering Routers

Packet filtering routers are the simplest form of firewalls. They are connected between
the host computer of an Internal network and the Internet gateway as shown in Fig.6. 2.
The bastion host directs message accepted by the router to the appropriate application
servers in the protected network. Their function is to route data of a network and to allow
only certain types of data into the network by checking the type of data and its source and
destination address. If the router determines that the data is sourced from an Internet
address which is not on its acceptable or trusted sources list, the connection would be
simply refused. The advantage of this type of firewall is that it is simple and cheaper to
implement and also fast and transparent to the users. The disadvantage is that if the
security of the router were compromised, computers on the internal network would be
open to external network for attacks. Also, the filtering rules can be difficult to configure,
and a poorly configured firewall could result in security loopholes by unintentionally
allowing access to an internal network.

Proxy servers

Proxy servers control incoming and outgoing traffic for a network by executing specific
proxy program for each requested connection. If any computer outside the internal
network wants to access some application running on a computer inside the internal
network, then it would actually communicate with the proxy server, and proxy server in
turn will pass the request to the internal computer and get the response which will be
given to the recipient (outside user). That is, there is no direct connection between the
internal network and Internet. This approach allows a high level of control and in-depth
monitoring using logging and auditing tools. However, since it doubles the amount of
processing, this approach may lead to som degradation in performance. Fig. 3 shows a
typical firewall organization consisting of ‘militarized zone’ that separates the protected
network from the Internet.

Stateful Inspection firewal

This type of firewalls thoroughly inspects all packets of information at the network level
as in the case of proxy servers. Specifications of each packet of data, such as the user and
the transportation method, the application used are all queried and verified in the
inspection process. The information collected is maintained so that all future
transmissions are inspected and compared to past transmission. If both the "state" of the
transmission and the "context" in which it is used deviate from normal patterns, the
connection would be refused. This type of firewalls are very powerful but performance
would also decline due to the intensive inspection and verification performed.

Cryptography

The process of disguising a message in such a way as to hide its substance is called
encryption. An encrypted message is called cipher text. The process of turning a cipher
text back into plain text is called decryption. Cryptography is the art and science of
keeping messages secure. It uses a ‘key’ for encrypting or decrypting a message. Both the
method of encryption and the size of key are important to ensure confidentiality of a
message. There are two types of encryption: Symmetric key and Asymmetric key
encryption. In the symmetric key cryptography scheme, the same key is used to encrypt
and decrypt the message. Common symmetric algorithms include One-time pad
encryption, Data Encryption Standard (DES), Triple DES, LOKI, Twofish, Blowfish,
International Data Encryption Algorithm (IDEA). DES and Triple DES are the commonly
used techniques. Asymmetric key cryptography scheme is also known as Public key
crypto-system. Here two keys are used. One key is kept secret and therefore it is referred
as "private key". The other key is made widely available to anyone who wants it, and is
referred as "Public key". The Public key and Private key are mathematically related so
that information encrypted using the public key can only be decrypted by the
corresponding private key and vice-versa. Importantly, it is near to impossible to find out
the private key from the public key. Common and more popular public key cryptosystem
algorithms are Diffie-Hellman, RSA, Elliptic Curve etc. In all these, the confidentiality is
directly related to the key size. Larger the key size, the longer it takes to break the
encrypted message.

Diffie-Hellman This is the first public key algorithm invented. It gets its security from the
difficulty of calculating discrete logarithms in a finite field. Diffie-Hellman method can
be used for distribution of keys to be used for symmetric encryption.

RSA Named after its three inventors, Ron Rivest, Adi Shamir and Leonard Adleman, who
first introduced the algorithm in 1978, RSA gets its security from the difficulty of
factoring large numbers. The public and private keys are function of a pair of large (100
or 200 digits or even larger) prime numbers. The pair is used for asymmetric encryption.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - Security (Contd)

Authentication Techniques(Contd) - Digital Signature and Certification

Digital signatures authenticate the identity of a sender, through the private, cryptographic
key. In addition, every digital signature is different because it is derived from the content
of the message itself. The combination of identity authentication and singularly unique
signatures results in a transmission that can not be repudiated.

Digital signature can be applied to any data transmission, including e-mail. To generate
digital signature, the original, unencrypted message is processed through mathematical
algorithms that generate a ‘message digest’ (a unique character representation of data).
This process is known as "hashing". The message digest is then encrypted with the
private key and sent along with the message (could be encrypted also). The recipient
receives both the message and encrypted message digest. The recipient decrypts the
message digest using the sender’s public key, and then runs the message through the hash
function again. If the resulting message digest matches the one sent with the message, the
message has not been altered and data integrity is verified. Because the message digest
was encrypted using the private key, the sender can be identified and bound to the
specific messag

Certification Authorities and Digital Certificate

Certificate Authorities and Digital Certificates are emerging to further address the issues
of authentication, non-repudiation, data privacy and cryptographic key management. A
Certificate Authority (CA) is a trusted third party that verifies the identity of a party to a
transaction. To do this, the CA vouches for the identity of a party by attaching the CA’s
digital signature to any messages, public keys, etc., which are transmitted. The CA must
be trusted by the parties involved, and identities must have been proven to the CA
beforehand. Digital certificates are messages that are signed with the CA’s private key.
They identify the CA, the represented party, and even include the represented party’s
public key.

Secure Socket Layer (SSL)

SSL is designed to make use of TCP to provide a reliable end-to-end secure service. The
SSL servers have digital certificates issued by Certifying Authorities so that the clients
can authenticate the service provider (a bank in our case). The servers use a password
/PIN/digital certificate to authenticate clients. Once the clients and server have
authenticated each other, they establish a session key for encryption of messages. The
diagram above shows flow of messages in SSL.

Public Key Infrastructure (PKI

Public key cryptography can play an important role in providing needed security services
including confidentiality, authentication, digital signatures and integrity. Public key
cryptography uses two electronic keys: a public key and a private key. The public key can
be known by anyone while the private key is kept secret by its owner. As long as there is
strong binding between the owner and the owner’s public key, the identity of the
originator of a message can be traced to the owner of the private key. A Public Key
Infrastructure (PKI) provides the means to bind public keys to their owners and helps in
the distribution of reliable public keys in large heterogeneous networks. Public keys are
bound to their owners by public key certificates. These certificates contain information
such as the owner’s name and the associated public key and are issued by a reliable
Certification Authority (CA).

PKI consists of the following components

• Key Certificate - An electronic record that binds a public key to the identity of the
owner of a public-private key pair and is signed by a trusted entity
• Certification Authority (CA) - A trusted entity that issues and revokes public key
certificates
• Registration Authority (RA - An entity that is trusted by the CA to register or
vouch for the identity of users to the CA.
• Registration Authority (RA - An entity that is trusted by the CA to register or
vouch for the identity of users to the CA.
• Certificate Repository - An electronic site that holds certificates and CRLs. CAs
post certificates and CRLs to repositories
• Certificate Revocation List (CRL) - A list of certificates that have been revoked.
The list is usually signed by the same entity that issued the certificates.
Certificates can be revoked for several reasons. For example, a certificate can be
revoked if the owner’s private key has been lost or if the owner’s name changes.
• Certificate User - An entity that uses certificates to know, with certainty, the
public key of another entity.

The widespread use of PKI technology to support digital signatures can help increase
confidence of electronic transactions. For example, the use of a digital signature allows a
seller to prove that goods or services were requested by a buyer and therefore demand
payment. The use of a PKI allows parties without prior knowledge of each other to
engage in verifiable transactions.

Certificate : Although there have been several proposed formats for public key
certificates, most certificates available today are based on an international standard (ITU-
T X.509 version 3). This standard defines a certificate structure that includes several
optional extensions. The use of X.509v3 certificates is important because it provides
interoperability between PKI components. Also, the standard’s defined extensions offer
flexibility to support specific business needs.

PKI Architecture

A PKI is often composed of many CAs linked by trust paths. The CAs may be linked in
several ways. They may be arranged hierarchically under a "root CA" that issues
certificates to subordinate CAs. The CAs can also be arranged independently in a
network. Recipients of a signed message with no relationship with the CA that issued the
certificate for the sender of the message can still validate the sender’s certificate by
finding a path between their CA and the one that issued the sender’s certificate. The
National Institute of Standards and Technology (NIST) has developed a hybrid
architecture specification based on both a hierarchical and a network architecture model
in the document, Public Key Infrastructure (PKI) Technical Specifications (Version 2.3):
Part C - Concept of Operations.

Tools

Tools are extremely useful in monitoring and controlling networks, systems and users.
Some of the system administration and network management tools are Scanners, Sniffers,
Logging and Audit tools.

Scanners: Scanners query the TCP/IP port and record the target’s response and can reveal
the information like services that are currently running, users owning those services,
whether anonymous logins are supported, and whether certain network services require
authentication. Scanners are important because they reveal weaknesses in the network.
There are many security vulnerabilities on any given platform. Scanners can do an
excellent security audit and then system can be suitably upgraded. Scanners are programs
that automatically detect security weaknesses in remote or local hosts. System
administrators may use them to find out weaknesses in their system and take preventive
measures. Scanners can be used to gather preliminary data for an audit. Scanners offer a
quick overview of TCP/IP security.

Sniffer: Sniffers are devices that capture network packets. They analyze network traffic
and identify potential areas of concern. For example, suppose one segment of the network
is performing poorly. Packet delivery seems incredibly slow or machines inexplicably
lock up on a network boot. Sniffers can determine the precise cause. Sniffers are always a
combination of hardware and software components. Proprietary sniffers are generally
expensive (vendors often package them on special computers that are "optimized " for
sniffing).

Intrusion Detection Tools An intrusion attempt or a threat is defined to be the potential

possibility of a deliberate unauthorized attempt to access or manipulate information or
render a system unreliable or unusable. Different approaches are used to detect these
intrusion attempts. Some Intrusion Detection Systems (IDS) are based on audit logs
provided by the operating system i.e. detecting attacks by watching for suspicious
patterns of activity on a single computer system. This type of IDS called Host based IDS
is good at discerning attacks that are initiated by local users which involve misuse of the
capabilities of one system. The Host based IDS can interpret only high level logging
information and they can not detect low level network events such as Denial of Service
attacks. The network-based approach can be effectively used to detect these low level
Denial of Service attacks. Distributed intrusion detection systems (DIDS) take data from
various hosts, network components and network monitors and try to detect intrusions
from the collected data

< Systems Detection Intrusion based>are based on interpretation of raw network traffic.
They attempt to detect attacks by watching for patterns of suspicious activity in this
traffic. NIDS are good at discerning attacks that involve low-level manipulation of the
network, and can easily correlate attacks against multiple machines on a network. An
Intrusion Detection System detects the attacks in real-time and informs system
administrator about it to take appropriate action. As a result, exposure to the intrusion and
the possible damage caused to the data or systems can be countered.

Physical Security

Physical security is a vital part of any security plan and is fundamental to all security
efforts--without it, information security, software security, user access security, and
network security are considerably more difficult, if not impossible, to initiate. Physical
security is achieved predominantly by controlled and restricted physical access to the
systems resources. Access control broadly provides the ability to grant selective access to
certain people at certain times and deny access to all others at all times. Physical security
involves the protection of building sites and equipment (and all information and software
contained therein) from theft, vandalism, natural disaster, manmade catastrophes and
accidental damage (e.g., from electrical surges, extreme temperatures and spilled coffee).
It requires solid building construction, suitable emergency preparedness, reliable power
supplies, adequate climate control, and appropriate protection from intruders. Thus, in
broad terms, the focus is on restricting access to the computer area, controlling access to
all vulnerable and sensitive areas of the department, and monitoring of all staff and
visitors.

Physical Access can be secured through the following means: Bolting Door locks and
Combination Locks, Electronic Door Locks, Biometric Door Locks, Manual Logging,
Electronic Logging, Photo Identification Badges, Video Cameras stationed at strategic
points, Controlled Visitor Access. A bank should also have in place environmental
controls to manage exposures from fire, natural disasters, power failure, air-conditioning
failure, water damage, bomb threat / attack etc. A few means of obtaining control over
environmental exposure are:

The server room and any other unattended equipment room should have water detector.
Fire extinguishers should be placed at all strategic points, supplementing fire suppression
systems with smoke detectors, use of fire resistant materials in office materials including
furniture, redundant power supply from two substations, electrical wiring placed in fire
resistant panels and conduits and documented and tested evacuation plans.

It is important to educate all ‘stake-holders’ (users, employees, etc) about the importance
of physical security. This education should be carried out as part of ‘social engineering’

Security Policy

The information security policy is the systemization of approaches and policies related to
the formulation of information security measures to be employed within the organization
to assure security of information and information systems owned by it. The security
policy should address the following items:
 i. Basic approach to information security measures.
ii. The information and information systems that must be protected, and the reasons
for such protection
iii. Priorities of information and information systems that must be protected.
iv. Involvement and responsibility of management and establishment of an
information security coordination division.
v. Checks by legal department and compliance with laws / regulations
vi. The use of outside consultants.
vii. Identification of information security risks and their managemen
viii. Impact of security policies on quality of service to the customers (for example,
disabling an account after three unsuccessful logins may result in denial of service
when it is done by somebody else mischievously or when restoration takes unduly
long time).
ix. Decision making process of carrying out information security measures.
x. Procedures for revising information security measures.
xi. Responsibilities of each officer and employee and the rules (disciplinary action
etc) to be applied in each case.
xii. Auditing of the compliance to the security polic
xiii. User awareness and training regarding information security
xiv. Business continuity Plans
xv. Procedures for periodic review of the policy and security measures

The top management of the bank must express a commitment to security by manifestly
approving and supporting formal security awareness and training. This may require
special management level training. Security awareness will teach people not to disclose
sensitive information such as password file names. Security guidelines, policies and
procedures affect the entire organization and as such, should have the support and
suggestions of end users, executive management, security administration, IS personnel
and legal counsel.

Project on Project on Internet Banking - Report of RBI Working Group

Internet Banking - Recommendations of the Working Group

1. Security Organization Organizations should make explicit security plan and

document it. There should be a separate Security Officer / Group dealing
exclusively with information systems security. The Information Technology
Division will actually implement the computer systems while the Computer
Security Officer will deal with its security. The Information Systems Auditor will
audit the information systems.
2. Access Control Logical access controls should be implemented on data, systems,
application software, utilities, telecommunication lines, libraries, system software,
etc. Logical access control techniques may include user-ids, passwords, smart
cards or other biometric technologies.
3. Firewalls: At the minimum, banks should use the proxy server type of firewall so
that there is no direct connection between the Internet and the bank’s system. It
facilitates a high level of control and in-depth monitoring using logging and
 auditing tools. For sensitive systems, a stateful inspection firewall is
recommended which thoroughly inspects all packets of information, and past and
present transactions are compared. These generally include a real-time security
alert.
4. Isolation of Dial Up Services All the systems supporting dial up services through
modem on the same LAN as the application server should be isolated to prevent
intrusions into the network as this may bypass the proxy server.
5. Security Infrastructure At present, PKI is the most favored technology for secure
Internet banking services. However, it is not yet commonly available. While PKI
infrastructure is strongly recommended, during the transition period, until IDRBT
or Government puts in the PKI infrastructure, the following options are
recommended.
o Usage of SSL, which ensures server authentication and the use of client
side certificates issued by the banks themselves using a Certificate Server.
o The use of at least 128-bit SSL for securing browser to web server
communications and, in addition, encryption of sensitive data like
passwords in transit within the enterprise itself.
6. Isolation of Application Servers It is also recommended that all unnecessary
services on the application server such as ftp, telnet should be disabled. The
application server should be isolated from the e-mail server.
7. Security Log (audit Trail) All computer accesses, including messages received,
should be logged. All computer access and security violations (suspected or
attempted) should be reported and follow up action taken as the organization’s
escalation policy.
8. Penetration Testin The information security officer and the information system
auditor should undertake periodic penetration tests of the system, which should
include:
o Attempting to guess passwords using password-cracking tools
o Search for back door traps in the program
o Attempt to overload the system using DdoS (Distributed Denial of
Service) & DoS (Denial of Service) attacks.
o Check if commonly known holes in the software, especially the browser
and the e-mail software exist.
o The penetration testing may also be carried out by engaging outside
experts (often called ‘Ethical Hackers’).
9. Physical Access Control: Though generally overlooked, physical access controls
should be strictly enforced. The physical security should cover all the information
systems and sites where they are housed both against internal and external threats.
10. Back up & Recover: The bank should have a proper infrastructure and schedules
for backing up data. The backed-up data should be periodically tested to ensure
recovery without loss of transactions in a time frame as given out in the bank’s
security policy. Business continuity should be ensured by having disaster recovery
sites where backed-up data is stored. These facilities should also be tested
periodically.
 11. Monitoring against threats: The banks should acquire tools for monitoring
systems and the networks against intrusions and attacks. These tools should be
used regularly to avoid security breaches
12. Education & Review: The banks should review their security infrastructure and
security policies regularly and optimize them in the light of their own experiences
and changing technologies. They should educate on a continuous basis their
security personnel and also the end-users.
13. Log of Messages: The banking applications run by the bank should have proper
record keeping facilities for legal purposes. It may be necessary to keep all
received and sent messages both in encrypted and decrypted form. (When stored
in encrypted form, it should be possible to decrypt the information for legal
purpose by obtaining keys with owners’ consent.)
14. The banks should use only those security solutions/products which are properly
certified for security and for record keeping by independent agencies (such as
IDRBT).
15. Maintenance of Infrastructure: Security infrastructure should be properly tested
before using the systems and applications for normal operations. The bank should
upgrade the systems by installing patches released by developers to remove bugs
and loopholes, and upgrade to newer versions which give better security and
control.
16. All banks having operations in India and intending to offer Internet banking
services to public must obtain an approval for the same from RBI. The application
for approval should clearly cover the systems and products that the bank plans to
use as well as the security plans and infrastructure. RBI may call for various
documents pertaining to security, reliability, availability, auditability,
recoverability, and other important aspects of the services. RBI may provide
model documents for Security Policy, Security Architecture, and Operations
Manua
17. Standing Committee RBI may set up a standing Committee to monitor security
policy issues and technologies, to review prescribed standards, and to make fresh
recommendations on a regular basis.

Project on Project on Internet Banking - Report of RBI Working Group

Legal Issues involved in Internet Banking

The legal framework for banking in India is provided by a set of enactments, viz., the
Banking Regulations Act, 1949, the Reserve Bank of India Act, 1934, and the Foreign
Exchange Management Act, 1999. Broadly, no entity can function as a bank in India
without obtaining a license from Reserve Bank of India under Banking Regulations Act,
1949. Different types of activities which a bank may undertake and other prudential
requirements are provided under this Act. Accepting of deposit from public by a non-
bank attracts regulatory provisions under Reserve Bank of India Act 1934. Under the
Foreign Exchange Management Act 1999, no Indian resident can lend, open a foreign
currency account or borrow from a non resident, including non-resident banks, except
under certain circumstances provided in law. Besides these, banking activity is also
influenced by various enactments governing trade and commerce, such as, Indian
Contract Act, 1872, the Negotiable Instruments Act, 1881, Indian Evidence Act, 1872,
etc.

As discussed earlier, Internet banking is an extension of the traditional banking, which

uses Internet both as a medium for receiving instructions from the customers and also
delivering banking services. Hence, conceptually, various provisions of law, which are
applicable to traditional banking activities, are also applicable to Internet banking.
However, use of electronic medium in general and Internet in particular in banking
transactions, has put to question the legality of certain types of transactions in the context
of existing statute. The validity of an electronic message / document, authentication,
validity of contract entered into electronically, non-repudiation etc. are important legal
questions having a bearing on electronic commerce and Internet banking. It has also
raised the issue of ability of banks to comply with legal requirements / practices like
secrecy of customers account, privacy, consumer protection etc. given the vulnerability of
data / information passing through Internet. There is also the question of adequacy of law
to deal with situations which are technology driven like denial of service / data corruption
because of technological failure, infrastructure failure, hacking, etc. Cross border
transactions carried through Internet pose the issue of jurisdiction and conflict of laws of
different nation.

This dichotomy between integration of trade and finance over the globe through e-
commerce and divergence of national laws is perceived as a major obstacle for e-
commerce / i-banking and has set in motion the process of harmonization and
standardization of laws relating to money, banking and financial services. A major
initiative in this direction is the United Nations Commission on International Trade Law
(UNICITRAL)’s Model law, which was adopted by the General Assembly of United
Nations and has been recommended to the member nations for consideration while
revising / adopting their laws of electronic trade

Government of India has enacted The Information Technology Act, 2000, in order to
provide legal recognition for transactions carried out by means of electronic data
interchange and other means of electronic communication, commonly referred to as
‘electronic commerce’…The Act, which has also drawn upon the Model Law, came into
force with effect from October 17, 2000. The Act has also amended certain provisions of
the Indian Penal Code, the Indian Evidence Act, 1872, The Bankers Book of Evidence
Act, 1891 and Reserve Bank of India Act 1934 in order to facilitate e-commerce in India.
However, this Act will not apply to:-

• A negotiable instrument as defined in section 13 of the Negotiable Instruments

Act, 1881;
• A power-of-attorney as defined in section 1A of the Power-of-Attorney Act, 1882;
• A trust as defined in section 3 of the Indian Trusts Act, 1882;
• A will as defined in clause (h) of section 2 of the Indian Succession Act, 192
• Any contract for the sale or conveyance of immovable property or any interest in
such property;
 • Any such class of documents or transactions as may be notified by the Central
Government in the official Gazette.

In the course of providing Internet banking services the banks in India are facing new
challenges relating to online opening of accounts, authentication, secrecy of customers
accounts, non-repudiation, liability standards and consumer protection, etc., each of
which has been examined in the context of existing legal framework

Online opening of account: The banks providing Internet banking service, at present are
only willing to accept the request for opening of accounts. The accounts are opened only
after proper physical introduction and verification. This is primarily for the purpose of
proper identification of the customer and also to avoid benami accounts as also money
laundering activities that might be undertaken by the customer. Supervisors world over,
expect the Internet banks also to follow the practice of ‘know your customer’

As per Section 131 of the Negotiable Instruments Act, 1881 (the Act) a banker who has in
good faith and without negligence received payment for a customer of a cheque crossed
generally or specially to himself shall not, in case the title to the cheque proves defective,
incur any liability to the true owner of the cheque by reason only of having received such
payment. The banker’s action in good faith and without negligence have been discussed
in various case laws and one of the relevant passages from the judgment of Justice
Chagla in the case of Bapulal Premchand Vs Nath Bank Ltd. (AIR 1946 Bom.482) is as
follows:

"Primarily, inquiry as to negligence must be directed in order to find out whether there is
negligence in collecting the cheque and not in opening the account, but if there is any
antecedent or present circumstance which aroused the suspicion of the banker then it
would be his duty before he collects the cheque to make the necessary enquiry and
undoubtedly one of the antecedent circumstances would be the opening of the account. In
certain cases failure to make enquiries as to the integrity of the proposed customer would
constitute negligence".

Further the Supreme Court of India in Indian Overseas Bank Ltd. Vs. Industrial Chain
Concern [JT1989(4)SC 334] has stated that as a general rule, before accepting a
customer, the bank must take reasonable care to satisfy himself that the person in
question is in good reputation and if he fails to do so, he will run the risk of forfeiting the
protection given by Section 131 of Negotiable Instruments Act, 1881 but reasonable care
depends upon the facts and circumstances of the case. Similarly, the Delhi High Court
was also of the view that the modern banking practice requires that a constituent should
either be known to the bank or should be properly introduced. The underlying object of
the bank insisting on producing reliable references is only to find out if possible whether
the new constituent is a genuine party or an imposter or a fraudulent rogue [Union of
India Vs National Overseas Grindlays Bank Ltd. (1978) 48 Com.Cases 277 (Del)].

Thus, the introduction of a new customer by a third party reference is a well-recognized

practice followed by the banks before opening new accounts in order to prove the
reasonable care and absence of any negligence in permitting the new customer to open
the account. Further, in order to establish the reasonable care the banks have to make
enquiries about the integrity/reputation of the prospective customer. It is not a mere
enquiry about the identity of the person. The Group, therefore, endorses the practice
presently followed by the banks in seeking proper introduction before allowing the
operations of the customers’ accounts. In the context of Internet banking and after the
coming into force of the Information Technology Act, 2000, it may be possible for the
banks to rely on the electronic signatures of the introducer. But this may have to await till
the certification machinery as specified in the Information Technology Act, 2000 comes
into operation.

Authentication One of the major challenges faced by banks involved in Internet banking
is the issue relating to authentication and the concerns arising in solving problems unique
to electronic authentication such as issues of data integrity, non-repudiation, evidentiary
standards, privacy, confidentiality issues and the consumer protection. The present legal
regime does not set out the parameters as to the extent to which a person can be bound in
respect of an electronic instruction purported to have been issued by him. Generally,
authentication is achieved by what is known as security procedure. Methods and devices
like the personal identification numbers (PIN), code numbers, telephone-PIN numbers,
relationship numbers, passwords, account numbers and encryption are evolved to
establish authenticity of an instruction. From a legal perspective, the security procedure
requires to be recognized by law as a substitute for signature. Different countries have
addressed these issues through specific laws dealing with digital signatures. In India, the
Information Technology Act, 2000 (the "Act") in Section 3 (2) provides that any
subscriber may authenticate an electronic record by affixing his digital signature.
However the Act only recognizes one particular technology as a means of authenticating
the electronic records (viz, the asymmetric crypto system and hash function which
envelop and transform the initial electronic record into another electronic record). This
might lead to the doubt of whether the law would recognize the existing methods used by
the banks as a valid method of authenticating the transactions. In this regard as noted in
paragraph [3.2.2] of Chapter [3] of this Report, the approach in the other countries has
been to keep the legislation technology neutral. The Group is of the view that the law
should be technology neutral so that it can keep pace with the technological
developments without requiring frequent amendments to the law as there exists a lot of
uncertainty about future technological and market developments in Internet banking. This
however would not imply that the security risks associated with Internet banking should
go unregulated.

Hence, Section 3 (2) of the Information Technology Act 2000 may need to be amended to
provide that the authentication of an electronic record may be effected either by the use of
the asymmetric crypto system and hash function, or a system as may be mutually
determined by the parties or by such other system as may be prescribed or approved by
the Central Government. If the agreed procedure is followed by the parties concerned it
should be deemed as being an authenticate transaction. A clarification to this effect by
way of an amendment of the aforesaid Act will facilitate the Internet banking transactions
Further, the banks may be allowed to apply for a license to issue digital signature
certificate under Section 21 of the Information Technology Act, 2000 and become a
certifying authority for facilitating Internet banking. The certifying authority acts like a
trusted notary for authenticating the person, transaction and information transmitted
electronically. Using a digital certificate from trusted certificate authority like a bank
shall provide a level of comfort to the parties of an Internet banking transaction. Hence, it
is recommended by the Committee that the Reserve Bank of India may recommend to the
Central Government to notify the business of the certifying authority under Clause (o) of
Section 6(1) of the Banking Regulation Act, 1949, to permit the banks to act as such
trusted third parties in e-commerce transactions.

Mode of Payment under the Income Tax Act, 1961: Section 40A(3) of the Income tax
Act, 1961, dealing with deductible expenses, provides that in cases where the amount
exceeds Rs. 20,000/-, the benefit of the said section will be available only if the payment
is made by a crossed cheque or a crossed bank draft. One of the services provided by the
banks offering Internet banking service is the online transfer of funds between accounts
where cheques are not used, in which the above benefit will not be available to the
customers.

The primary intention behind the enactment of Section 40 A of the Income tax Act, 1961
is to check tax evasion by requiring payment to designated accounts. In the case of a
funds transfer, the transfer of funds takes place only between identified accounts, which
serves the same purpose as a crossed cheque or a crossed bank draft. Hence, the
Committee recommends that Section 40A of the Income Tax Act, 1961, may be amended
to recognise even electronic funds transfer.

Project on Project on Internet Banking - Report of RBI Working Group

Legal Issues involved in Internet Banking (Contd)

Secrecy of Customer's AccountThe existing regime imposes a legal obligation on the

bankers to maintain secrecy and confidentiality about the customer’s account. The law at
present requires the banker to take scrupulous care not to disclose the state of his
customer's account except on reasonable and proper occasions.

While availing the Internet banking services the customers are allotted proper User ID,
passwords and/or personal identification numbers and/or the other agreed authentication
procedure to access the Internet banking service and only users with such access
methodology and in accordance with the agreed procedure are authorized to access the
Internet banking services. In other words a third party would not be able to withdraw
money from an account or access the account of the customer unless the customer had
divulged his/her password in the first place.

However, if the password or the identification number is misplaced or lost or gets into the
hands of the wrong person and such person procures details about the customers account
then the banker may be faced with legal proceedings on the grounds of violation of the
obligation to maintain secrecy of the customer's accounts. This concern of the bankers is
very high especially in the case of joint accounts where both the parties share one
personal identification numbers or relationship numbers and operate the account jointly.
Further, by the very nature of Internet the account of a customer availing Internet banking
services would be exposed to the risk of being accessed by hackers and inadvertent
finders.

The Internet banking services at present are being provided by most of the banks by
systems which are only accessible through "secure zones" or SSL (Secure Sockets Layer)
to secure and authenticate the user through a secure browser. Most of the banks have
adopted 128 Bit strong encryption which is widely accepted worldwide as a standard for
securing financial transaction. To reduce the risk of the customers’ account information
being accessed by third parties, it is very important that the banks continue to be obliged
to protect the customer account. However, it is equally important to note that the banks
may still be exposed to the risk of liability to customers and hence they should adopt all
reasonable safety controls and detection measures like establishment of firewalls, net
security devices, etc. Further, banks should put in place adequate risk control measures in
order to minimize possible risk arising out of breach of secrecy due to loss/
misplacement/ theft of customers’ ID/PIN, etc.

Revocation and Amendment of Instructions: The general revocation and amendment

instructions to the banks are intended to correct errors, including the sending of an
instruction more than once. Occasionally, a revocation or amendment may be intended to
stop a fraud. Under the existing law, banks are responsible for making and stopping
payment in good faith and without negligence. In an Internet banking scenario there is
very limited or no stop-payment privileges since it becomes impossible for the banks to
stop payment in spite of receipt of a stop payment instruction as the transactions are
completed instantaneously and are incapable of being reversed. Hence the banks offering
Internet banking services may clearly notify the customers the time frame and the
circumstances in which any stop payment instructions could be accepted.

Rights and Liabilities of the Parties: Typically, the banker-customer relationship is

embodied in a contract entered into by them. The banks providing the Internet banking
services currently enter into agreements with their customers stipulating their respective
rights and responsibilities including the disclosure requirements in the case of Internet
banking transactions, contractually. A Standard format/minimum consent requirement to
be adopted by the banks offering Internet banking facility, could be designed by the
Indian Banks’ Association capturing, inter alia, access requirements, duties and
responsibilities of the banks as well as customers and any limitations on the liabilities of
the banks in case of negligence and non-adherence to the terms of agreement by
customers.

Internet Banking and Money Laundering

One of the major concerns associated with Internet Banking has been that the Internet
banking transactions may become untraceable and are incredibly mobile and may easily
be anonymous and may not leave a traditional audit trail by allowing instantaneous
transfer of funds. It is pertinent to note that money-laundering transactions are cash
transactions leaving no paper trail. Such an apprehension will be more in the case of use
of electronic money or e-cash. In the case of Internet Banking the transactions are
initiated and concluded between designated accounts. Further Section 11 of the proposed
Prevention of Money Laundering Bill, 1999 imposes an obligation on every Banking
Company, Financial Institution and intermediary to maintain a record of all the
transactions or series of transactions taking place within a month, the nature and value of
which may be prescribed by the Central Government. These records are to be maintained
for a period of five years from the date of cessation of the transaction between the client
and the banking company or the financial institution or the intermediary. This would
apply to banks offering physical or Internet banking services. This will adequately guard
against any misuse of the Internet banking services for the purpose of money laundering.
Further the requirement of the banking companies to preserve specified ledgers, registers
and other records for a period of 5 to 8 years, as per the Banking Companies (Period of
Preservation of Records) Rules, 1985 promulgated by the Central Government also
adequately takes care of this concern

Maintenance of Records: Section 4 of the Bankers’ Books Evidence Act, 1891, provides
that a certified copy of any entry in a banker’s book shall in all legal proceedings be
received as a prima facie evidence of the existence of such an entry. The Banking
Companies (Period of Preservation of Records) Rules, 1985 promulgated by the Central
Government requires banking companies to maintain ledgers, records, books and other
documents for a period of 5 to 8 years. A fear has been expressed as to whether the above
details of the transactions if maintained in an electronic form will also serve the above
purpose. The Group is of the considered opinion that that this has been adequately taken
care of by Section 7 and Third Schedule of the Information Technology Act, 200

Inter-Bank Electronic Funds Transfer: The Electronic Funds Transfer via the Internet, in
its present form is provided only between accounts with the same bank. The transaction is
effected by the originator who gives the electronic payment order to one branch of a bank
offering the Internet banking facility ("the Sending Branch"). The electronic instruction is
processed by the backend software of the branch to confirm the account number and the
person’s identification and instruction is issued by the Sending Branch to the branch
having the account of the beneficiary ("Beneficiary Branch") to credit the account of the
beneficiary. The Sending Branch debits the account of the originator at its end. At present
there is no clearing mechanism in place for settlement of inter-bank electronic funds
transfer. The entire gamut of electronic funds transfer and the legal issues and risks
involved in the same are currently being examined by a committee set up by the Reserve
Bank of India. The 4th Schedule to the Information Technology Act, 2000 has amended
the Reserve Bank of India Act. 1934 empowering the Reserve Bank of India to regulate
electronic funds transfer between banks and banks and other financial institutions.

Miscellaneous: During the course of deliberations, the Group discussed certain issues
where the legal position is not clear but have a bearing on Internet banking. Certain issues
have also not been addressed by the Information Technology Act, 2000. Such issues are
briefly discussed below. The Consumer Protection Act 1986 defines the rights of
consumers in India and is applicable to banking services as well. The issues of privacy,
secrecy of consumers’ accounts and the rights and liabilities of customers and banks, etc.
in the context of Internet banking have been discussed in earlier paragraphs. In cases
where bilateral agreements defining customers rights and liabilities are adverse to
consumers than what are enjoyed by them in the traditional banking scenario, it is
debatable whether such agreements are legally tenable. For example, whether a bank can
claim immunity if money is transferred unauthorizedly by a hacker from a customers
account, on the pretext that it had taken all reasonable and agreed network security
measures. In a traditional banking scenario, a bank has normally no protection against
payment of a forged cheque. If the same logic is extended, the bank providing I-banking
may not absolve itself from liability to the customers on account of unauthorized transfer
through hacking. Similar position may obtain in case of denial of service. Even though,
The Information Technology Act, 2000 has provided for penalty for denial of access to a
computer system (Section-43) and hacking (Section - 66), the liability of banks in such
situations is not clear. The Group was of the view that the banks providing Internet
banking may assess the risk and insure themselves against such risks

There was no specific enactment in India which protects privacy of customers. Bankers’
secrecy obligation mostly followed from different case laws. In UK, the Data Protection
Act 1984 specifically prohibits personal data from being disclosed for purposes other
than for which the data is held. This prohibits use of customer data relating to their
spending habits, preferences etc., for any commercial purpose. The Office of the
Comptroller of Currency have also issued directions to US banks enforcing customers’
privacy. The Information Technology Act, 2000, in Section 72 has provided for penalty
for breach of privacy and confidentiality. Further, Section 79 of the Act has also provided
for exclusion of liability of a network service provider for data travelling through their
network subject to certain conditions. Thus, the liability of banks for breach of privacy
when data is travelling through network is not clear. This aspect needs detailed legal
examination. The issue of ownership of transactional data stored in banks’ computer
systems also needs further examination.

The applicability of various existing laws and banking practices to e-banking is not tested
and is still in the process of evolving, both in India and abroad. With rapid changes in
technology and innovation in the field of e-banking, there is a need for constant review of
different laws relating to banking and commerce. The Group, therefore, recommends that
the Reserve Bank of India may constitute a multi disciplinary high level standing
committee to review the legal and technological requirements of e-banking on continual
basis and recommend appropriate measures as and when necessary.

Project on Project on Internet Banking - Report of RBI Working Group

Regulatory and Supervisory Concerns

Banking on the Internet provides benefits to the consumer in terms of

 convenience, and to the provider in terms of cost reduction and greater reach.
The Internet itself however is not a secure medium, and thus poses a number of
risks of concern to regulators and supervisors of banks and financial
institutions. World over, regulators and supervisors are still evolving their
approach towards the regulation and supervision of Internet banking.
Regulations and guidelines issued by some countries include the following.

• Requirement to notify about web site conten;

• Prior authorization based on risk assessment made by external auditors;
• Off-site policing the perimeters to look for infringement;
• Prohibition on hyper links to non bank business sites;
• Specification of the architecture.

In some countries supervisors have followed a ‘hands-off’ approach to

regulation of such activities, while others have adopted a wait and watch
attitude. This chapter suggests approaches to supervision of Internet banking
activities, drawing upon the best international practices in this area as relevant
to the Indian context.

In this and the next article the Working Group disccusses about this issue.

Major supervisory concerns

These concerns can be clubbed into the following:

• Operational risk issues

• Cross border issues
• Customer protection and confidentiality issues
• Competitiveness and profitability issues

Operational Risk Issues

The open architecture of the Internet exposes the banks’ systems to decide access through
the easy availability of technology. The dependence of banks on third party providers
places knowledge of banks’ systems in a public domain and leaves the banks dependent
upon relatively small firms which have high turnover of personnel. Further, there is
absence of conventional audit trails as also relative anonymity of transactions due to
remote access. It is imperative that security and integrity of the transactions are protected
so that the potentiality for loss arising out of criminal activities, such as fraud, money
laundering, tax evasion etc. and a disruption in delivery systems either by accident or by
design, are mitigated. The supervisory responses to manage operational risk matters
include issue of appropriate guidance on the risk (including outsourcing risk) control and
record maintenance, issue of minimum standards of technology and security appropriate
to the conduct of transactional business, extension of ‘know your customer’ rules for
transactions on the Internet, and insistence on appropriate and visible disclosure to inform
customers of the risks that they face on doing business on the Internet.

Cross Border Issuess

The Internet knows no frontiers, and banks can source deposits from jurisdiction where
they are not licensed or supervised or have access to payment systems. Customers can
Potentiality Park their funds in jurisdictions where their national authorities have no
access to records. The issues of jurisdiction, territoriality and recourse become even more
blurred in the case of virtual banks. Cross border issues would also come into play where
banks choose to locate their processing centres, records or back up centres in different
jurisdictions. While country - specific approaches are being adopted at the national level,
the ‘Group on e-banking’ set up by the Basle Committee on Banking Supervision
(BCBS) is engaged in bringing about harmonization in approaches at an international
level.

Customer Protection and Confidentiality Issues:

The loss of customer confidentiality may pose a reputation risk to banks and the banking
system as a whole. Transacting business on the Internet exposes data being sent across
the Internet to interception by unauthorized agents, who may then use the data without
the approval of the customers. There has also been incidence where glitches have
developed in web sites permitting customers to access each other’s accounts. To address
these risks, customers need to be educated through adequate disclosures of such risks.

Competitiveness and Profitability Issues

While Internet banking is expected to substantially reduce the cost of doing transactions
in the long run, the limited business being done on the Internet has yet to pay for the
infrastructure in which banks have invested. This includes the tie up with technology
companies in setting up payment gateways, portals and Internet solutions and the alliance
with other businesses for cross-selling products. The coming years may however see a
scenario where the margins of conventional banks come under pressure because of
competition from Internet banking, including virtual banks, which need no infrastructure
expenses. These issues have to be kept in mind by supervisors while deciding their
approach to e-banking.

Broad Regulatory Frameworks

It would be necessary to extend the existing regulatory framework over banks to Internet
banking also. Such an approach would need to take into account the provisions of both
the Banking Regulation Act 1949 and the Foreign Exchange Management Act, 1999

Only such banks which are licensed and supervised in India and have a physical presence
here should be permitted to offer Internet banking products to residents of India
These products should be restricted to account holders only and should not be offered in
other jurisdictions

The services should only offer local currency products and that too by entities who are
part of the local currency payment systems.

The ‘in-out’ scenario where customers in cross border jurisdictions are offered banking
services by Indian banks (or branches of foreign banks in India) and the ‘out-in’ scenario
where Indian residents are offered banking services by banks operating in cross-border
jurisdictions are generally not permitted and this approach should be carried over to
Internet banking also.

The existing exceptions for limited purposes under FEMA i.e. where resident Indians
have been permitted to continue to maintain their accounts with overseas banks etc.,
would however be permitted transactions

Overseas branches of Indian banks would be permitted to offer Internet banking services
to their overseas customers subject to their satisfying, in addition to the host supervisor,
the home supervisor in keeping with the supervisory approach outlined in the next
section.

This extension of approach would apply to virtual banks as well. Thus, both banks and
virtual banks incorporated outside the country and having no physical presence here
would not, for the present, be permitted to offer Internet services to Indian depositors.

Recommendations

With the above approach in mind, the Group recommends that the regulatory and
supervisory concerns relating to Internet banking can be met in the manner outlined in the
following paragraphs.

1. All banks which propose to offer transactional services on the Internet should
obtain an in-principle approval from RBI prior to commencing these services. The
application should be accompanied by a note put up to the Board of the bank
along with Board resolution passed. The Board note should cover the reasons for
the bank choosing to enter into such business, the potential penetration it seeks to
achieve, a cost-benefit analysis, a listing of products it seeks to offer, the
technology and business partners for the products, and all third party support
services and service providers with their track record and agreements with them,
and the systems and the skills and capabilities it has in this regard and most
materially the systems, controls and procedures it has put or intends to put in
place to identify and manage the risks arising out of the proposed ventures. The
bank should also enclose a security policy framed in this regard which should
cover all the recommendations made in thearlier articles coveringTechnology and
Security Standards for Internet Banking and produce a certification from a
reputed external auditor who is CISA or otherwise appropriately qualified that the
 security measures taken by the bank are adequate and meet the requirements and
that risk management systems are in place to identify and mitigate the risks
arising out of the entire gamut of Internet banking operations.
2. The RBI could require the bank together with the auditor to hold discussions with
the RBI in this regard before granting such approval. After this initial approval is
given, the bank would be obliged to inform the RBI of any material changes in
web-site content and launch of new products
3. The assurance about security controls and procedures, which is sought from the
specialist external auditors, should be periodically obtained, with the periodicity
depending on the risk assessment of the supervisor. Further, banks would also be
required to report every breach or failure of the security systems and procedures
to RBI, who may decide to subject the failure to an on-site examination or even
commission an auditor to do so
4. The RBI as supervisor would cover the entire risks associated with electronic
banking as part of its annual inspections. For this purpose, a checklist could be
developed along the lines of those covering general computerized banking
featured in the manual developed for inspection of computerized branches. Till
such time as the RBI builds up sufficient capability to do this in-house, it is
recommended that this function be outsourced to qualified EDP auditors.
5. The focus of the supervisory approach would mainly be the transactional Internet
banking services offered by existing banks as an alternative channel. To some
extent the concerns in this regard are the same as those arising out of electronic
banking in general. The RBI has issued guidelines in the recent past on the "Risks
and Controls in Computers and Telecommunications" which would be applicable
equally to Internet banking. Another supervisory focus would be on Record
Maintenance and their availability for inspection and audit. Again, RBI has issued
guidelines for these "Preservation and Record Maintenance" which need to be
updated to include the risks heightened by banking on the net. Broadly, the record
preservation and maintenance policy must encompass record keeping, record
retention, record media and record location. The key features of this enhancement
would be as follows:
o The cornerstone of this policy should be security. Access to all bank-
related electronic data should be restricted to authorized individuals.
o All transactional, financial and managerial data pertaining to the previous
financial year must be archived before 1 July of the subsequent financial
year.
o A senior officer / executive of the Bank possessing appropriate
qualifications, education and/or background should be designated in-
charge of the archived data. A possible designation could be Archived
Data Security Officer.
o All access to archived data should be with the authentic (written or by e-
mail) approval of this Archived Data Security Officer (ADSO).
o The role and responsibilities of the ADSO should be clearly delineated and
well publicized within the bank
 o Data so archived should be on such a platform and using such a
technology that future alteration / modification / deletion of the data is not
possible, once the data is archived
o If the technology and/or platform used for data storage involves
compression and/or dis-aggregation of data, banks should have in place
adequate software/hardware which will ensure easy restoration of the data
as and when required by the bank’s own departments and also by RBI as
well as other statutory authorities.
o All transactional, financial and managerial data should be available on-
line. If, for reasons of paucity of on-line storage, such data (of the current
financial year) has been backed-up and removed from on-line storage, it
must be available in a format and at a location which ensures that the data
can be restored on-line within a maximum of 24 hours from the date and
time at which the demand for such data is made by users from within the
bank or from RBI or other statutory authorities
o Similarly, transactional, financial and managerial data of the previous
financial year should be made available within a maximum of 48 hours of
the date and time at which such request is made by the bank’s own users
or by the RBI and other statutory authorities.
6. A vulnerability which is accentuated in Internet banking is the reliance upon third
party providers and support services and this requires banks to effectively manage
the risks of all outsourced activities. In turn the supervisors should have the ability
to assess the risks arising out of such liaisons. Direct supervision of the third party
by the supervisor is not envisaged. Accordingly, as part of the Internet policy,
banks should develop outsourcing guidelines, which mitigate the risks of
disruption and defective service. Alternatively, the IBA (Indian Banks
Association) or IDRBT (Institute for Development and Research in Banking
Technology) could be asked to develop broad guidelines for the use of the
banking community.

Project on Project on Internet Banking - Report of RBI Working Group

Regulatory and Supervisory Concerns - Payment Gateway:

An externally shared service, which will develop, as the pivot of the Internet banking
would be the payment gateway. With the increasing popularity of "e-Commerce" i.e.,
buying and selling over the Internet, electronic payments and settlements for such
purchases, is a natural and expected requirement. Banks, which are the vital segment of
the payment system in the country, will therefore be required to equip themselves to meet
this emerging challenge. In its basic form, the ‘Inter-Bank Payment Gateway’ for
payments and settlements of e-Commerce transactions is not very different from the
traditional cheque clearing system, which is perhaps the most widely prevalent form of
Inter-Bank settlement of funds, or the net settlement system of the international card
agencies like Visa, Master Cards and American Express, for the credit card payments.

With the emergence of the Internet and the ability to buy and sell over the Internet, it has
become imperative to deploy a similar Inter-Bank Payment Gateway to facilitate
authorization for payments and settlement between participating institutions for
commercial transactions carried out over the Internet. No one particular model for setting
up an Inter-Bank Payment Gateway for such payments has been established as yet and we
are, therefore, in a situation where the regulatory and supervisory framework itself needs
to be evolved.

Given the above considerations, the following framework for setting up Inter-Bank
Payment Gateways for Internet payments in India is suggested:

• Only institutions that are members of the cheque clearing system in the country
may be permitted to participate in the Inter-Bank Payment Gateway initiatives for
Internet payments
• Both ‘net-settlement’ and ‘gross-settlement’ capabilities might be necessary, net
settlement being the settlement mode for transaction below a certain pre-specified
threshold value and gross settlement for transactions higher than the pre-specified
value.
• The Inter-Bank Payment Gateway should have one nominated bank as the
clearing bank to settle all transactions
• The approval for setting up the Inter-Bank Payment Gateway should be granted
only by the Reserve Bank of India, in their capacity as the Regulator of banks and
Payment Systems in the country. The norms to become eligible to set up the Inter-
Bank Payment Gateway should be specified by the Reserve Bank of India, on the
basis of which institutions may seek formal approval to set up the Inter-Bank
Payment Gateway.
• It is expected that there will not be more than two or three Inter Bank Payment
Gateways in the Country and all banks who wish to participate in the payment and
settlement for e-Commerce transactions originated over the Internet could become
a member of one or more of these Inter-Bank Payment Gateways.
• All payments routed through the Inter-Bank Gateways should only cover direct
debits and direct credits to the accounts maintained with the participating Banks
by the parties involved in the e-Commerce transaction. Payments effected using
credit cards should not be routed through the Inter-Bank Payment Gateway. These
should be authorized by the payer bank (i.e., acquiring bank) directly through its
credit card authorization capability.
• It should be obligatory on the part of the Inter-Bank Payments Gateway to
establish, at any time, the complete trace of any payment transactions routed
through it. The trace should cover date and time stamp when the transaction was
originated and authorized, the payee details (account number and name of the
payee bank), the payers details (account number and name of the payer bank), as
well as a unique Transactional Reference Number (TRN) provided by both the
Payee Bank and Payer Bank for each transaction.
 • Connectivity between the Inter-Bank Payment Gateway and the computer system
of the member Banks should be achieved using a leased line network (not over the
Internet), with appropriate data encryption standards.
• All settlements over the Inter-Bank Payment Gateway should be intra-day, as far
as possible in real time.
• Until the exchange control aspects with regard to cross-border issues of e-
Commerce transactions are fully discussed and documented, payment and
settlement of such transactions should not be permitted over the Inter-Bank
Payment Gateway.
• Only Inter Bank Payments and Settlements (i.e. transactions involving more than
one Bank) should be routed through the Inter-Bank Payment Gateway. Intra-bank
payments (i.e., transactions involving only one Bank) should be handled by the
bank’s own internal system
• The responsibility for the credit risk associated with every payment transaction
routed over the Inter Bank Payment Gateway will rest with the appropriate Payee
Bank.
• The mandate and the related documentation (that would form the basis for
effecting payments for transactions carried out over the Internet) should be
bilateral in nature i.e., (a) between the Payee and the Payee’s bank (b) the Payer
and Payer’s bank, (c) between the participating banks and the service provider
who is responsible for the operations of the Inter Bank Payment Gateway, and (d)
between the banks themselves who are participating in the Inter Bank Payment
Gateway Initiative. The rights and obligations of each party should be clearly
stated in the mandate and should be valid in a court of la
• All transactions must be authenticated using a user ID and password. SSL/128 bit
encryption must be used as the minimum level of security. As and when the
regulatory framework is in place, all such transactions should be digitally certified
by one of the licensed Certification Authorities.
• The Service Provider who is responsible for the operations of the Inter-Bank
Payment Gateway must ensure adequate firewalls and related security measure to
ensure privacy to the participating institution, i.e., every institution can access
data pertaining to only itself and its customer transactions.
• Internationally accepted standards such as ISO8583 must be used for transmitting
payment and settlement messages over the Network.
• It may also be appropriate to have a panel of approved Auditors who will be
required to certify the security of the entire infrastructure both at the Inter-Bank
Payment Gateway as well as the participating institution’s end prior to making the
facility available for customer use. A process of perpetual audit must also be
instituted.

It is not enough for the risk identification and assessment exercise to be between the bank
and the supervisor alone. The customer too needs to be enlightened of the risks inherent
in doing business on the net, and this would be served by having a mandatory disclosure
template which would list the risks to the customer and the responsibilities and possible
liability of the banks and the customer. Banks should also provide their most recent
published financial results on their web-site.
The issue of reputation risk due to customers misunderstanding the hyper-links on the
web-sites of banks also needs to be addressed. Fundamentally there are two scenarios
where hyperlinks are necessary between non-bank business sites and bank-sites

• Where the Bank is required to inform visitors to its own Web Site about the
Portals with whom they have a payment arrangement or Portals that the bank
would want its customers to visit. These out-bound hyperlinks are unlikely to
have any major security implications to the bank. In order to reflect the stability
of the banking system, banks should not be seen as sponsors of or promoters of
the products of unrelated businesses or of any businesses, which they are not
licensed to run. The hyperlinks should hence be confined to only those portals
with which they have a payment arrangement or the sites of their subsidiaries or
principals.
• The second type of hyperlink is where the Portal sites link to the bank site to pass
information pertaining to a payment by one of their Internet Shoppers. This
usually involves making a URL (Universal Resource Locator) link to the bank site
to request authorization for payment. Such links deliver to the bank site
information regarding the customer (typically his registration no) and the value of
the payment to be authorized. Unless the bank exercises the right level of
authentication and security, this type of URL links can be the source of a number
of security breaches. It is therefore imperative that every bank ensures at least the
following minimum-security precautions in order that the bank's as well as its
customer’s interests are protected

Upon receiving the URL request from the Portal site, the bank should authenticate the
customer who has originated the transaction by asking him to key in, on the browser
screen, his user ID and password which the bank would have provided him to facilitate
access to his accounts with the bank.

Upon such authentication and due verification, the bank should re-submit the transaction
information on the customer’s browser terminal i.e., the name of the Portal site to whom
the payment is to be effected as well as the value of the transactions and seek the explicit
approval of the customer to authorize the payment.

Depending on the nature of the payment, the payment authorization request should be
routed either to the credit card authorizing system if payment is requested using credit
card, or to the banks’ host system in case of a direct debit or to the Inter-Bank Payment
Gateway in case of debit to customer account in another bank.

Upon receiving the payment authorization, the bank should return the URL request to the
originating Portal, with a unique reference number for the transaction, as a conformation
to pay as per the settlement cycle agreed with the Portal.

All interactions with the Portal sites as well as the customers browser terminal should be
secured using SSL/128 bit encryption as a minimum requirement and should in due
course be also augmented with the digital certification requirement as and when digital
certificate deployment is enabled in the country.

It was deliberated whether banks undertaking Internet banking should be subject to any
additional capital charge because of the potentially higher proneness to unexpected
losses. As yet standards have not been developed for measuring additional capital charge
on account of operational risks. However, this will be covered in a way once the banks
move towards risk-based supervision where supervisory intervention will be linked to the
risk profile of individual institutions. In such a scenario, an enhanced supervisory risk
assessment on this account could warrant an additional capital charge, which would also
be consistent with the second pillar approach of the new capital accord.

The Basle Committee for Banking Supervision (BCBS) has constituted an Electronic
Banking Group (EBG) to develop guiding principles for the prudent risk management of
e-banking activities as an extension of the existing Basel Committee Risk Management
Principles. The Group will identify the areas of concern for supervision of cross border e-
banking activities and will promote cooperative international efforts within the banking
industry. It will evolve sound practices and will encourage and facilitate exchange of
information, training material, guidance etc., developed by other members and
supervisors around the world. Therefore, there is a need for continued interaction among
the central banks and supervisors with a view to enhancing the abilities of the supervisory
community to keep pace with the dynamic e-banking activities. This Working Group,
therefore, recommends that the Reserve Bank of India should maintain close contact with
regulating / supervisory authorities of different countries as well as with the Electronic
Banking Group of BCBS and review its regulatory framework in keeping with
developments elsewhere in the world.

[Note:- Electronic Banking Graoup set up Basel Committee for Banking Supervision has
submitted its report giving guiding principles for the prudent risk management of e-
banking activities. View the Executive Summary thereof.

Risk Management Principles for Electronic Banking

Basel Committee Recommendations - Executive Summary

Continuing technological innovation and competition among existing banking

organisations and new entrants have allowed for a much wider array of banking products
and services to become accessible and delivered to retail and wholesale customers
through an electronic distribution channel collectively referred to as e-banking. However,
the rapid development of e-banking capabilities carries risks as well as benefits.

The Basel Committee on Banking Supervision expects such risks to be recognised,

addressed and managed by banking institutions in a prudent manner according to the
fundamental characteristics and challenges of e-banking services. These characteristics
include the unprecedented speed of change related to technological and customer service
innovation, the ubiquitous and global nature of open electronic networks, the integration
of e-banking applications with legacy computer systems and the increasing dependence
of banks on third parties that provide the necessary information technology. While not
creating inherently new risks, the Committee noted that these characteristics increased
and modified some of the traditional risks associated with banking activities, in particular
strategic, operational, legal and reputational risks, thereby influencing the overall risk
profile of banking.

Based on these conclusions, the Committee considers that while existing risk
management principles remain applicable to e-banking activities, such principles must be
tailored, adapted and, in some cases, expanded to address the specific risk management
challenges created by the characteristics of e-banking activities. To this end, the
Committee believes that it is incumbent upon the Boards of Directors and banks' senior
management to take steps to ensure that their institutions have reviewed and modified
where necessary their existing risk management policies and processes to cover their
current or planned e-banking activities. The Committee also believes that the integration
of e-banking applications with legacy systems implies an integrated risk management
approach for all banking activities of a banking institution.

To facilitate these developments, the Committee has identified fourteen Risk

Management Principles for Electronic Banking to help banking institutions expand their
existing risk oversight policies and processes to cover their e-banking activities.

These Risk Management Principles are not put forth as absolute requirements or even
"best practice." The Committee believes that setting detailed risk management
requirements in the area of e-banking might be counter-productive, if only because these
would be likely to become rapidly outdated because of the speed of change related to
technological and customer service innovation. The Committee has therefore preferred to
express supervisory expectations and guidance in the form of Risk Management
Principles in order to promote safety and soundness for e-banking activities, while
preserving the necessary flexibility in implementation that derives in part from the speed
of change in this area. Further, the Committee recognises that each bank's risk profile is
different and requires a tailored risk mitigation approach appropriate for the scale of the
e-banking operations, the materiality of the risks present, and the willingness and ability
of the institution to manage these risks. This implies that a "one size fits all" approach to
e-banking risk management issues may not be appropriate.

For a similar reason, the Risk Management Principles issued by the Committee do not
attempt to set specific technical solutions or standards relating to e-banking. Technical
solutions are to be addressed by institutions and standard setting bodies as technology
evolves. However, this Report contains appendices that list some examples current and
widespread risk mitigation practices in the e-banking area that are supportive of the Risk
Management Principles.

Consequently, the Risk Management Principles and sound practices identified in this
Report are expected to be used as tools by national supervisors and implemented with
adaptations to reflect specific national requirements and individual risk profiles where
necessary. In some areas, the Principles have been expressed by the Committee or by
national supervisors in previous bank supervisory guidance. However, some issues, such
as the management of outsourcing relationships, security controls and legal and
reputational risk management, warrant more detailed principles than those expressed to
date due to the unique characteristics and implications of the Internet distribution
channel.

The Risk Management Principles fall into three broad, and often overlapping, categories
of issues that are grouped to provide clarity

1. Board and Management Oversight;

2. Security Controls; and
3. Legal and Reputational Risk Management.

Board and Management Oversight

Because the Board of Directors and senior management are responsible for developing
the institution's business strategy and establishing an effective management oversight
over risks, they are expected to take an explicit, informed and documented strategic
decision as to whether and how the bank is to provide e-banking services. The initial
decision should include the specific accountabilities, policies and controls to address
risks, including those arising in a cross-border context. Effective management oversight
is expected to encompass the review and approval of the key aspects of the bank's
security control process, such as the development and maintenance of a security control
infrastructure that properly safeguards e-banking systems and data from both internal and
external threats. It also should include a comprehensive process for managing risks
associated with increased complexity of and increasing reliance on outsourcing
relationships and third-party dependencies to perform critical e-banking functions.

Security Controls

While the Board of Directors has the responsibility for ensuring that appropriate security
control processes are in place for e-banking, the substance of these processes needs
special management attention because of the enhanced security challenges posed by e-
banking. This should include establishing appropriate authorisation privileges and
authentication measures, logical and physical access controls, adequate infrastructure
security to maintain appropriate boundaries and restrictions on both internal and external
user activities and data integrity of transactions, records and information. In addition, the
existence of clear audit trails for all e-banking transactions should be ensured and
measures to preserve confidentiality of key e-banking information should be appropriate
with the sensitivity of such information.

Although customer protection and privacy regulations vary from jurisdiction to

jurisdiction, banks generally have a clear responsibility to provide their customers with a
level of comfort regarding information disclosures, protection of customer data and
business availability that approaches the level they can expect when using traditional
banking distribution channels. To minimise legal and reputational risk associated with e-
banking activities conducted both domestically and cross-border, banks should make
adequate disclosure of information on their web sites and take appropriate measures to
ensure adherence to customer privacy requirements applicable in the jurisdictions to
which the bank is providing e-banking services.

Legal and Reputational Risk Management

To protect banks against business, legal and reputation risk, e-banking services must be
delivered on a consistent and timely basis in accordance with high customer expectations
for constant and rapid availability and potentially high transaction demand. The bank
must have the ability to deliver e-banking services to all end-users and be able to
maintain such availability in all circumstances. Effective incident response mechanisms
are also critical to minimise operational, legal and reputational risks arising from
unexpected events, including internal and external attacks, that may affect the provision
of e-banking systems and services. To meet customers' expectations, banks should
therefore have effective capacity, business continuity and contingency planning. Banks
should also develop appropriate incident response plans, including communication
strategies, that ensure business continuity, control reputation risk and limit liability
associated with disruptions in their e-banking services.

Project on Project on Internet Banking - Report of RBI Working Group

Summary of Recommendations

Keeping in view the terms of reference, a number of recommendations have been made
in preceding articles. A summary of these recommendations is given in this and the next
article.

Technology and Security Standard

1. The role of the network and database administrator is pivotal in securing the
information system of any organization. Some of the important functions of the
administrator via-a-vis system security are to ensure that only the latest versions
of the licensed software with latest patches are installed in the system, proper user
groups with access privileges are created and users are assigned to appropriate
groups as per their business roles, a proper system of back up of data and software
is in place and is strictly adhered to, business continuity plan is in place and
frequently tested and there is a robust system of keeping log of all network
activity and analyzing the same.
2. Organizations should make explicit security plan and document it. There should
be a separate Security Officer / Group dealing exclusively with information
systems security. The Information Technology Division will actually implement
the computer systems while the Computer Security Officer will deal with its
security. The Information Systems Auditor will audit the information systems.
3. Access Control Logical access controls should be implemented on data, systems,
application software, utilities, telecommunication lines, libraries, system software,
etc. Logical access control techniques may include user-ids, passwords, smart
cards or other biometric technologies
4. Firewalls At the minimum, banks should use the proxy server type of firewall so
that there is no direct connection between the Internet and the bank’s system. It
facilitates a high level of control and in-depth monitoring using logging and
auditing tools. For sensitive systems, a stateful inspection firewall is
recommended which thoroughly inspects all packets of information, and past and
present transactions are compared. These generally include a real-time security
alert.
5. Isolation of Dial Up Services: All the systems supporting dial up services through
modem on the same LAN as the application server should be isolated to prevent
intrusions into the network as this may bypass the proxy server.
6. Security Infrastructure: PKI is the most favoured technology for secure Internet
banking services. However, it is not yet commonly available. While PKI
infrastructure is strongly recommended, during the transition period, until IDRBT
or Government puts in place the PKI infrastructure, the following options are
recommended.M
o Usage of SSL, which ensures server authentication and the use of client
side certificates issued by the banks themselves using a Certificate Server.
o The use of at least 128-bit SSL for securing browser to web server
communications and, in addition,
o encryption of sensitive data like passwords in transit within the enterprise
itself.
7. Isolation of Application Servers: It is also recommended that all unnecessary
services on the application server such as ftp, telnet should be disabled. The
application server should be isolated from the e-mail server.
8. Security Log (audit Trail): All computer accesses, including messages received,
should be logged. All computer access and security violations (suspected or
attempted) should be reported and follow up action taken as the organization’s
escalation policy.
9. Penetration TestinThe information security officer and the information system
auditor should undertake periodic penetration tests of the system, which should
include:
o Attempting to guess passwords using password-cracking tools
o Search for back door traps in the programs.
o Attempt to overload the system using DdoS (Distributed Denial of
Service) & DoS (Denial of Service) attacks
o Check if commonly known holes in the software, especially the browser
and the e-mail software exist.
o The penetration testing may also be carried out by engaging outside
experts (often called ‘Ethical Hackers’).
10. Physical Access Controls: Though generally overlooked, physical access controls
should be strictly enforced. The physical security should cover all the information
systems and sites where they are housed both against internal and external threats.
 11. Back up & Recover The bank should have a proper infrastructure and schedules
for backing up data. The backed-up data should be periodically tested to ensure
recovery without loss of transactions in a time frame as given out in the bank’s
security policy. Business continuity should be ensured by having disaster recovery
sites, where backed-up data is stored. These facilities should also be tested
periodically.
12. Monitoring against threats: The banks should acquire tools for monitoring
systems and the networks against intrusions and attacks. These tools should be
used regularly to avoid security breaches.
13. Education & Review: The banks should review their security infrastructure and
security policies regularly and optimize them in the light of their own experiences
and changing technologies. They should educate on a continuous basis their
security personnel and also the end-users.
14. Log of Messages: The banking applications run by the bank should have proper
record keeping facilities for legal purposes. It may be necessary to keep all
received and sent messages both in encrypted and decrypted form. (When stored
in encrypted form, it should be possible to decrypt the information for legal
purpose by obtaining keys with owners’ consent.)
15. Certified Products The banks should use only those security solutions/products
which are properly certified for security and for record keeping by independent
agencies (such as IDRBT).
16. Maintenance of Infrastructure: Security infrastructure should be properly tested
before using the systems and applications for normal operations. The bank should
upgrade the systems by installing patches released by developers to remove bugs
and loopholes, and upgrade to newer versions which give better security and
control
17. Approval for I-banking All banks having operations in India and intending to
offer Internet banking services to public must obtain an approval for the same
from RBI. The application for approval should clearly cover the systems and
products that the bank plans to use as well as the security plans and infrastructure.
It should include sufficient details for RBI to evaluate security, reliability,
availability, auditability, recoverability, and other important aspects of the
services. RBI may provide model documents for Security Policy, Security
Architecture, and Operations Manual.

Legal Issues

1. The banks providing Internet banking service, at present are only accepting the
request for opening of accounts. The accounts are opened only after proper
physical introduction and verification. Considering the legal position prevalent,
particularly of Section 131 of the Negotiable Instruments Act, 1881 and different
case laws, the Group holds the view that there is an obligation on the banks not
only to establish the identity but also to make enquiries about integrity and
reputation of the prospective customer. The Group, therefore, endorses the present
practice but has suggested that after coming in to force of the Information
 Technology Act, 2000 and digital certification machinery being in place, it may be
possible for the banks to rely on digital signature of the introducer.
2. The present legal regime does not set out the parameters as to the extent to which
a person can be bound in respect of an electronic instruction purported to have
been issued by him. Generally authentication is achieved by security procedure,
which involves methods and devices like user-id, password, personal
identification number (PIN), code numbers and encryption etc., used to establish
authenticity of an instruction. However, from a legal perspective a security
procedure needs to be recognized by law as a substitute for signature. In India, the
Information Technology Act, 2000, in Section 3(2) provides for a particular
technology (viz., the asymmetric crypto system and hash function) as a means of
authenticating electronic record. This has raised the doubt whether the law would
recognize the existing methods used by banks as valid methods of authentication.
The Group holds the view that as in case of other countries, the law should be
technology neutral.
3. In keeping with the view that law should be technology neutral, the Group has
recommended that Section 3(2) of the Information Technology Act, 2000 needs to
be amended to provide that in addition to the procedure prescribed there in or that
may be prescribed by the Central government, a security procedure mutually
agreed to by the concerned parties should be recognized as a valid method of
authentication of an electronic document / transaction during the transition period.
4. Banks may be allowed to apply for a license to issue digital signature certificate
under Section 21 of the Information Technology Act, 2000 and function as
certifying authority for facilitating Internet banking. Reserve Bank of India may
recommend to Central Government for notifying the business of certifying
authority as an approved activity under clause (o) of Section 6(1) of the Banking
Regulations Act, 1949.
5. Section 40A(3) of the Income Tax Act, 1961 recognizes only payments through a
crossed cheque or crossed bank draft, where such payment exceeds Rs. 20000/-,
for the purpose of deductible expenses. Since the primary intention of the above
provision, which is to prevent tax evasion by ensuring transfer of funds through
identified accounts, is also satisfied in case of electronic transfer of funds between
accounts, such transfers should also be recognized under the above provision. The
Income Tax Act, 1961 should be amended suitably.
6. Under the present regime there is an obligation on banks to maintain secrecy and
confidentiality of customer’s account. In the Internet banking scenario, the risk of
banks not meeting the above obligation is high on account of several factors like
customers not being careful about their passwords, PIN and other personal
identification details and divulging the same to others, banks’ sites being hacked
despite all precautions and information accessed by inadvertent finders. Banks
offering Internet banking are taking all reasonable security measures like SSL
access, 128 bit encryption, firewalls and other net security devices, etc. The
Group is of the view that despite all reasonable precautions, banks will be
exposed to enhanced risk of liability to customers on account of breach of secrecy,
denial of service etc., because of hacking/ other technological failures. The banks
should, therefore, institute adequate risk control measures to manage such risk.
7. In Internet banking scenario there is very little scope for the banks to act on stop-
payment instructions from the customers. Hence, banks should clearly notify to
the customers the timeframe and the circumstances in which any stop-payment
instructions could be accepted.
8. The banks providing Internet banking service and customers availing of the same
are currently entering into agreements defining respective rights and liabilities in
respect of Internet banking transactions. A standard format / minimum consent
requirement to be adopted by banks may be designed by the Indian Banks’
Association, which should capture all essential conditions to be fulfilled by the
banks, the customers and relative rights and liabilities arising there from. This will
help in standardizing documentation as also develop standard practice among
bankers offering Internet banking facility
9. The concern that Internet banking transactions may become a conduit for money
laundering, has been addressed by the Group. Such transactions are initiated and
concluded between designated accounts. Further, the proposed Prevention of
Money Laundering Bill 1999 imposes obligation on every banking company to
maintain records of transactions for certain prescribed period. The Banking
Companies (Period of Preservation of Records) Rules, 1985 also require banks to
preserve certain records for a period ranging between 5 to 8 years. The Group is
of the view that these legal provisions which are applicable to all banking
transactions, whether Internet banking or traditional banking, will adequately take
care of this concern and no specific measures for Internet banking is necessary.
10. The Consumer Protection Act, 1986 defines the rights of consumers in India and
is applicable to banking services as well. Currently, the rights and liabilities of
customers availing of Internet banking services are being determined by bilateral
agreements between the banks and customers. It is open to debate whether any
bilateral agreement defining customers rights and liabilities, which are adverse to
consumers than what is enjoyed by them in the traditional banking scenario will
be legally tenable. Considering the banking practice and rights enjoyed by
customers in traditional banking, it appears the banks providing I-banking may
not absolve themselves from liability to the customers on account of unauthorized
transfer through hacking. Similar position may obtain in case of denial of service.
Even though, The Information Technology Act, 2000 has provided for penalty for
denial of access to a computer system (Section-43) and hacking (Section – 66),
the liability of banks in such situations is not clear. The Group was of the view
that the banks providing Internet banking may assess the risk and insure
themselves against such risks.
11. The Information Technology Act, 2000, in Section 72 has provided for penalty for
breach of privacy and confidentiality. Further, Section 79 of the Act has also
provided for exclusion of liability of a network service provider for data traveling
through their network subject to certain conditions. Thus, the liability of banks for
breach of privacy when data is traveling through network is not clear. This aspect
needs detailed legal examination. The issue of ownership of transactional data
stored in banks’ computer systems also needs further examination.
Project on Project on Internet Banking - Report of RBI Working Group
Summary of Recommendations (Contd)

Regulatory and Supervisory Issues

1. All banks, which propose to offer transactional services on the Internet should
obtain approval from RBI prior to commencing these services. Bank’s application
for such permission should indicate its business plan, analysis of cost and benefit,
operational arrangements like technology adopted, business partners and third
party service providers and systems and control procedures the bank proposes to
adopt for managing risks, etc. The bank should also submit a security policy
covering recommendations made in chapter-6 of this report and a certificate from
an independent auditor that the minimum requirements prescribed there have been
met. After the initial approval the banks will be obliged to inform RBI any
material changes in the services / products offered by them.
2. RBI may require banks to periodically obtain certificates from specialist external
auditors certifying their security control and procedures. The banks will report to
RBI every breach or failure of security systems and procedure and the latter, at its
discretion, may decide to commission special audit / inspection of such banks.
3. To a large extent the supervisory concerns on Internet banking are the same as
those of electronic banking in general. The guidelines issued by RBI on ‘Risks
and Controls in Computers and Telecommunications’ will equally apply to
Internet banking. The RBI as supervisor would cover the entire risks associated
with electronic banking as a part of its regular inspections of banks and develop
the requisite expertise for such inspections. Till such capability is built up, RBI
may outsource this function to qualified EDP auditors.
4. Record maintenance and their availability for inspection and audit is a major
supervisory focus. RBI’s guidelines on ‘Preservation and Record Maintenance’
will need to be updated to include risks heightened by banking on the net. The
enhancements will include access to electronic record only by authorized officials,
regular archiving of data, a sufficiently senior officer to be in charge of archived
data with well defined responsibilities, use of proper software platform and tools
to prevent unauthorized alteration of archived data, availability of data on-line,
etc. If not available on-line, the system should be capable of making available the
data for the same financial year within 24 hours and past data within a period of
maximum 48 hours.
5. Banks should develop outsourcing guidelines to manage effectively, risks arising
out of third party service providers such as risks of disruption in service, defective
services and personnel of service providers gaining intimate knowledge of banks’
systems and misutilizing the same, etc. Alternatively, IBA or IDBRT may develop
broad guidelines for use of the banking community.
6. With the increasing popularity of e-commerce, i.e, buying and selling over the
Internet, it has become imperative to set up ‘Inter-bank Payment Gateways’ for
settlement of such transactions. The Group have suggested a protocol for
transactions between the customer, the bank and the portal and have
recommended a framework for setting up of payment gateways. In their capacity
 as regulator of banks and payment systems of the country, the RBI should
formulate norms for eligibility of an institution to set up a payment gateway and
the eligible institution should seek RBI’s approval for setting up the same
7. Only institutions who are members of the cheque clearing system in the country
may be permitted to participate in Inter-bank payment gateways for Internet
payment. Each gateway must nominate a bank as the clearing bank to settle all
transactions. Only direct debits and credits to accounts maintained with the
participating banks by parties to an e-commerce transaction may be routed
through a payment gateway. Payments effected using credit cards, payments
arising out of cross border e-commerce transactions and all intra-bank payments
(i.e., transactions involving only one bank) should be excluded for settlement
through an inter-bank payment gateway
8. Inter-bank payment gateways must have capabilities for both net and gross
settlement. All settlement should be intra-day and as far as possible, in real time.
It must be obligatory for payment gateways to maintain complete trace of any
payment transaction covering such details like date and time of origin of
transaction, payee, payer and a unique transaction reference number (TRN).
9. Connectivity between the gateway and the computer system of the member bank
should be achieved using a leased line network (not through Internet) with
appropriate data encryption standard. All transactions must be authenticated using
user-id and password. Once, the regulatory framework is in place, the transactions
should be digitally certified by any licensed certifying agency. SSL / 128 bit
encryption must be used as minimum level of security. Adequate firewalls and
related security measures must be taken to ensure privacy to the participating
institutions in a payment gateway. Internationally accepted standards such as
ISO8583 must be used for transmitting payment and settlement messages over the
network.
10. The RBI may have a panel of auditors who will be required to certify the security
of the entire infrastructure both at the payment gateway end and the participating
institutions end prior to making the facility available for customers use
11. The credit risk associated with each payment transaction will be on the payee
bank. The legal basis for such transactions and settlement will be the bilateral
contracts between the payee and payee’s bank, the participating banks and service
provider and the banks themselves. The rights and obligations of each party must
be clearly stated in the mandate and should be valid in a court of law.
12. It will be necessary to make customers aware of risks inherent in doing business
over the Internet. This requirement will be met by making mandatory disclosures
of risks, responsibilities and liabilities to the customers through a disclosure
template. The banks should also provide their latest published financial results
over the net
13. Hyperlinks from banks’ websites, often raise the issue of reputational risk. Such
links should not mislead the customers in to believing that they sponsor any
particular product or any business unrelated to banking. Hence, hyperlinks from a
banks’ websites should be confined to only those portals with which they have a
payment arrangement or sites of their subsidiaries or principals. Hyperlinks to
banks’ website from different portals are normally meant to pass information
 pertaining to purchases made by banks customers in the portal. Banks must follow
the minimum recommended security precautions while dealing with such request,
which includes customer authentication through user-id and password,
independent confirmation of transaction by the customer and authorizing
payment, use of SSL and 128 bit encryption for all communication both with the
portal and customer browser terminal, etc
14. On the question of additional capital charge on banks, which undertake Internet
banking, the group held the view that standards have not yet been developed for
measuring additional capital charge for operational risk. However, this
requirement could be covered as the RBI moves towards risk based supervision
15. The applicability of various existing laws and banking practices to e-banking is
not tested and is still in the process of evolving, both in India and abroad. With
rapid changes in technology and innovation in the field of e-banking, there is a
need for constant review of different laws relating to banking and commerce. The
Group, therefore, recommends that the Reserve Bank of India may constitute a
multi disciplinary high level standing committee to review the legal and
technological requirements of e-banking on continual basis and recommend
appropriate measures as and when necessary
16. The regulatory and supervisory framework for e-banking is continuing to evolve
and the regulatory authorities all over the world recognize the need for
cooperative approach in this area. The Basle Committee for Banking Supervision
(BCBS) has constituted an Electronic Banking Group (EBG) to develop guiding
principles for the prudent risk management of e-banking activities. This Working
Group, therefore, recommends that the Reserve Bank of India should maintain
close contact with regulating / supervisory authorities of different countries as
well as with the Electronic Banking Group of BCBS and review its regulatory
framework in keeping with developments elsewhere in the world.

New article

Advent of Digital Cash or Electronic Money

"Money in the 21st century will surely prove to be as different from the
money of the current century as our money is from that of the previous
century. Just as fiat money replaced specie-backed paper currencies,
electronically initiated debits and credits will become the dominant
 payment modes, creating the potential for private money to compete
with government-issued currencies."
Jerry L. Jordan, President and CEO, Federal Reserve Bank of Cleveland

Module: 2 - Digital Cash or Electronic Money

</P< TD>

1. Advent of Digital Cash or 2. Module: 3 - Credit Cards

Electronic Money
2. RBI Policy Paper on Digital
Cash or Electronic Money
Other Modules under "Banking &
Financial Services"
1. Module: 1 - Universal Bank
& Financial Services
3. Module: 4 - Public Debit &
How RBI Manages the same
4. Module: 5 - National
Dealing System & Clearing
Corporation of India Ltd
5. Module: 6 - Trading of G-
sec through Stock
Exchanges

It has been witnessed across the globe, especially in developed economies that there has
been a gradual switchover from the use of paper-based payments media to those based on
electronics. While the basic characteristics of these new instruments are by and large
similar to those of old, paper-based instruments, these, however, present a different set of
challenges to policy makers. Electronic money (e-money) is one such new product which
has appeared on Indian horizon recently.

Digital cash, electronic money or e-purse, as these are differently called, are a direct off-
shoot of the stupendous development of Internat based e-commerce. In the emerging field
of electronic commerce, novel buzzwords like smartcards, online banking, digital cash,
and electronic checks are being used to discuss money. Electronic money, as it is often
referred to, is essentially a payment or transfer of funds that is initiated and processed
electronically within current interbank payment systems. In other words Electronic
money is the digital representation of money, or more accurately, the digital
representation of currency.

Definition and Features of E-Money

E-money may be broadly defined as "an electronic store of monetary value on a technical
device…. used for making payments to undertakings other than the issuer without
necessarily involving bank accounts in the transaction, but acting as a prepaid bearer
instrument" (European Central Bank, 1998). These products could be classified into two
broad categories viz., (a) pre-paid stored value card (sometimes called "electronic purse")
and (b) pre-paid software based product that uses computer networks such as internet
(sometimes referred to as "digital cash" or "network money"). The stored value card
scheme typically uses a microprocessor chip embedded in a plastic card while software
based scheme typically uses specialised software installed in a personal computer.

The stored value card could be of three types - single-purpose card, closed-system or
limited-purpose card and general-purpose or multi-purpose card. The single-purpose card
generally with a magnetic chip recording the amount of fund therein is designed to
facilitate only one type of transaction e.g., telephone calls, public transportation, laundry,
parking facilities etc. Here, the distinguishing point is that the issuer and the service
provider (acceptor) are identical for the cards. These cards are expected to substitute
coins and currency notes. It is important to note here that the European Central Bank
(ECB) has exempted these single-purpose pre-paid cards from the purview of their policy
initiatives on e-money because of their smaller denominations as well as limited risk
exposure for customers and the financial system as a whole.

The closed-system or the limited-purpose cards are generally used in a small number of
well-identified points of sale within a well-identified location such as
corporate/university campus. ECB has recommended that these cards be subject to lighter
regulations and be issued by credit institutions.

The multi-purpose card on the other can perform variety of functions with several
vendors viz., credit card, debit card, stored value card, identification card, repository of
personal medical information etc. ECB has underscored especially the importance of
these cards with respect to regulatory oversight, restrictions on issuers and their
implications for monetary policy. These cards may reduce demand for current accounts in
the bank for likely reduction in transaction costs, and prudent portfolio management.

It is important to distinguish here the so-called "access" products e.g., credit card and
debit card from e-money. The former typically require a telephone or a personal computer
with appropriate software to access the customer account before transferring the value
while under e-money, the amount of value is already embedded and it may be increased
or reduced without necessarily involving a personal bank account. In a sense, e-money
can be construed as an electronic form of traveller's cheques (TCs). In both cases, the
user pays for the instrument upfront.

Evolution of Electronic Money

The widespread use of electronic currency in the USA dates back to two decades. It begin
when the automated clearinghouse (ACH) was set up by the US Federal Reserve in 1972
to provide the US Treasury and commercial banks with an electronic alternative to check
processing. Similar systems emerged in Europe around the same time. Payments made
today in nearly all of the deposit currencies in the world's banking systems are handled
electronically through a series of interbank computer networks. One of the largest of
these networks is CHIPS (Clearing House Interbank Payments System), which is owned
and operated by the New York Clearing House. It is used for large-value funds transfers.
In 1994, CHIPS and Fedwire combined handled 117.5 million transactions for a total
value of US$506.6 trillion.
However the use of electronic transfers for settlement of money transactions by
individual consumers has emerged only recently due to widespread advancement in
information and tele-communication technologies, which brought about global
interaction available at vastly reduced costs. As a result, we are now witnessing the early
stages of development of the digital economy. Indeed, private citizens have become
accustomed to using various forms of digital money, like stored-value cards, debit cards,
credit cards, and ATM cards. However, the advent of networked society has opened up a
whole new venue--digital cash. Digital or electronic cash is the logical but revolutionary
next step in the history of money.

Minimum Requirements of Digital Cash

Camp, Sirbu, et al in their work "Token & Notational Money in Electronic Commerce")
describe these minimal requirements as atomicity, consistency, isolation, and durability.

1. Atomicity
Either a transaction occurs completely or it does not occur at all. For example,
consider what happens when I transfer funds from a savings account to a checking
account. Either my checking account is credited and my savings account is
debited or neither account balance changes.
2. Consistency
All relevant parties must agree on critical facts of the exchange. For example, if I
buy a good for three dollars, the merchant and I should both agree on the amount
of the purchase. After the purchase is completed, we must agree on that fact as
well.
3. Isolation
Transactions should not interfere with each other, and the result of a set of
overlapping transactions must be equivalent to some sequence of those
transactions executed in non-concurrent serial order.
4. Durability
Even if my computer or the merchant's computer crashes, we should be able to
recover to the last consistent state. For example, money that was available to a
computer before it crashed should not disappear when the machine reboots.

No less important is full-proof security. There should not be the remotest scope for
hackers to tamper online transactions in transit, on receipt, or in storage. In other words,
hackers should not be able to break in to a storage site and damage or change the data.
Nor should they be allowed to forge or falsify transactions. Finally, counterfeiting must
be prevented at all costs--in the electronic medium, being able to make an infinite number
of copies is easy; hence, even a single case of counterfeiting could bring down the entire
digital cash system. Security concerns are probably at the forefront of the public mindset.
Before digital cash can gain wide acceptance, it must gain and keep the public trust.

Secure transactions using strong encryption Computer networks are essentially public in
their scope of operation because the information transmitted over them can be accessed
anywhere between the points of origination and destination. Even private computer
networks are not immune to wiretapping and surveillance by determined infiltrators.
Therefore, if the transmitted information is of a sensitive nature (e.g., financial data), then
it needs to be protected so that only those authorized to read it may do so. The science of
cryptography, which is the science of keeping digital data secure, makes this possible.
Encryption is the process of scrambling data into ciphers or code so that it can only be
unscrambled (decrypted) by individuals who have the key essential to accomplish this
task

We will now consider specific instances of digital cash/e-money as they emerged in the
commercial world

Digital Cash

Digital cash has been pioneered by DigiCash. Its founder, David Chaum, is an expert in
financial cryptography and is the inventor of more than half a dozen cryptographic
processes covered by US Patents. DigiCash has created and markets a software program
called "ecash", which basically creates DBCs that represent units of various currencies.

Currently, US Dollars, Finnish Markkas and Australian Dollars circulate on the Internet
using the ecash system, with several other currencies to be introduced in the near future.
Although DigiCash is the only company with a working product that is now available for
use, there are other companies and independent developers who are working on digital
cash systems as well.

Digital cash is ideal for what is known as micropayments, or transactions of less than
US$10 in value. Micropayments are generally not economical with credit cards or
electronic fund transfers, primarily because of the high overhead costs in processing
those transactions. Digital cash makes small payments of just a few cents possible and
profitable for both the merchant receiving the payment and the issuer of the digital cash.

One of the interesting features of digital cash is that it allows for relative degrees of
privacy in monetary transactions. DigiCash's ecash only provides privacy (anonymity) for
the payer in the transaction. The payee reveals himself when he verifies the authenticity
of the ecash with the issuer. Other types of digital cash involve anonymity for both parties
or neither party. Ideally, individuals will be able to choose between these different
systems to decide the level of privacy they wish to maintain in any transaction

Smartcards

A smartcard resembles a credit card except that it has a microchip embedded within it,
which allows the smartcard to store information and sometimes to even perform simple
calculations. Common smartcard chips typically holds about 8,000 bytes (characters) of
information, which enables the smartcard to perform a variety of functions such as
identification, storing bank account information and holding digital cash.
A number of smartcards are on the market today, and these are used in a wide range of
applications. Mondex has received a lot of recognition in the financial press, and several
banks have already conducted trials with its smartcard. Wells Fargo & Co., a major
California bank based in San Francisco, will issue Mondex smartcards to all of its online
banking customers in 1998, a number which could reach into the hundreds of thousands.
Because MasterCard International holds a 51% stake in Mondex, it could become the de
facto international standard for bank-issued smartcards.

Introduction of Digital Cash in India

An economy like India where cash transactions are very high, could benefit from using e-
money through cost savings from printing and minting of smaller denomination notes and
coins and eliminating the cost of handling, storing, transporting and insuring currency.
These should also improve operational efficiency of the financial sector as also extension
of banking to the urban poor and rural communities besides facilitating e-governance
initiatives of governments. However, such benefits should be weighed against the need to
build up the costly infrastructure to operate nationwide cashless retail payment system.

In India RBI has defined E-money as an electronic store of monetary value on a technical
device. RBI set-up a working group to examine the use of e-money in India.Chaired by
Mr Zarir Cama, CEO, HSBC, India, the group has said that issuance of e-money on a
credit basis should be strictly regulated and closely monitored. With regard to the status
of issuers of e-money, the group has said only banks should be allowed to issue multi-
purpose e-money. However, single purpose and limited purpose e-money should be
allowed to be issued by an entity including banks.

With a population of one billion, India generates personal consumption expenditure of

$225 billion. Due to the cash intensive and credit-averse nature of Indian society, 90 per
cent of this is in cash, nine per cent in cheques and one per cent electronically on
credit/debit cards! However, recently with globalisation and introduction to better
technology, Indian consumers have revealed a desire for alternatives to cash and cheques.
Having become more sophisticated and convenience oriented, they have shown a
preference for electronic transactions without having printed bank books.

The government has also strengthened regulatory and policy support to provide impetus
for creating infrastructure and spurring usage. Owing to this development, use of
electronic money took an upswing in the economy, which has shown a growth rate of 33
per cent.
[Source - Mr.Girish Rangan - MD, Venture Infotek)]

BANK OF INDIA LAUNCHES SMART CARD

"Our Bank has revolutionized consumer payments by launching a Smart Card under the
name "e-Purse". Pilot launch was made at Pune on 07.11.2001 by the hands of our
General Manager Mrs.T.A. D'Mello. The card has been launched in association with M/s.
Venture Infotek Limited who are providing an integrated end-end solution for this
activity.

The e-Purse is a chip embedded card and is essentially a deposit access product. It is a
stored value card that will enable holders to conduct cash-free transactions at merchant
locations. The account holders of our Bank will be able to "load" value into these cards
either by deposit of cash or through debit to their accounts with our branches. On
purchase of goods, the value gets reduced by virtue of an authorization from the card
holder through a PIN. The card can be used repeatedly and can be re-loaded any number
of times with amounts ranging from Rs.100/- to Rs.15000/-. At present there is no fee for
issuing the card but at a later stage we may introduce a small charge to recover our costs.

Numerous small value transactions can be undertaken through the e-Purse and all these
transactions can be tracked. The user will no longer have to carry cash. The card will be
issued to any account holder of the Bank since no credit risk is involved.
[Source: Website of Bank of India.

With the rapid evolution and revolution of technology, electronic transactions have now
gone beyond the payment domain. The same infrastructure that processed payment
transactions electronically, is now being used for several other consumer-centric
initiatives. A case in mind is that of BPCL Petro Card, which is a phenomenal success
story today, with over 6,00,000 customers already under the belt and growing at the rate
of 40,000 per month.

The Petro Card is fundamentally an e-purse-cum-loyalty card, that allows customers to

pay for fuel on this e-purse, a stored value card, and earn loyalty points simultaneously.
This programme is also being run on the same infrastructure that is used for payment
transactions!

Source RBI website - Report on Electronic Money(e-money)]

RBI Policy Paper on Digital Cash or Electronic Money

The distinguishing characteristics of e-money is that unlike innovations in other retail

payments media which facilitate more efficient access to traditional form of central bank
money, e-money could have the potential to become an independent medium of
exchange. In that eventuality, two extreme views are being offered. On the one hand, one
group perceives that in future in a highly technologically advanced networked world,
private entities may not require central bank money for settlement and, therefore, there
may not be any central bank in future. Some of them also question whether private
money is more efficient than central bank money from the point of view of social welfare
and if so, under what circumstance, private money can replace altogether the central bank
money. On the other hand, there is another group of academicians and practitioners who
strongly believe that central banks would continue to be as effective as ever though they
may be required to respond differently in the changed environment.
With progress in technology and networking, the modes of payment and settlement would
undergo distinct changes, particularly with operationalisation of the real-time gross
settlement system (RTGSS), Negotiated Dealing System (NDS) and Clearing Corporation
of India Limited (CCIL). These would lead to gradual switchover from the use of paper-
based payments media to those based on electronics including electronic money (e-
money). Keeping these developments in perspective, it was felt that it is now appropriate
to prepare a Policy Paper on e-money so that the challenges it might place in future both
on the balance sheet of the central bank as also on the transmission mechanism of
monetary policy are appropriately met. In other words, it is instructive to identify the
areas of concern from the point of view of the central bank in the context of more wide
spread use of e-money so that our conduct of monetary policy is not impaired and at the
same time, the integrity of the instrument (i.e., e-money) is also preserved. To this end, a
Working Group has been constituted on January 25, 2002 by RBI with representations
from both within the Bank and outside under the Chairmanship of Mr. Zarir J. Cama,
Chief Executive Officer, HSBC.

The Group submitted its Report on July 11, 2002

Accordingly, the Report is organised in four Sections.

1. Section I deals with the definition and features of e-money and its likely position
vis-a-vis other retail payments media.
2. Section II attempts to explore the likely implications of e-money on both the
balance sheet of the central bank and the conduct of monetary policy.
3. Based on these discussions, Section III brings to the fore the policy issues for RBI
and the likely prudential norms governing operations of the e-money scheme.
4. Section IV gives summary and recommendations of the Report, which alone is
reproduced hereunder, covering paragraphs 40 to 52. Those desirous of viewing
the full text of the report may do so by accessing website of RBI.

Summary of Recommendations of the Report

Broadly, e-money is an electronic store of monetary value on a technical device. E-

money could be classified as (a) pre-paid stored value card (sometimes called "electronic
purse") and (b) pre-paid software based product that uses computer networks such as
internet (sometimes referred to as "digital cash" or "network money"). The stored value
card could be of three types - single-purpose card, closed-system or limited-purpose card
and general-purpose or multi-purpose card. The single-purpose card generally with a
magnetic chip recording the amount of fund therein is designed to facilitate only one type
of transaction e.g., telephone calls, public transportation, laundry, parking facilities etc.
Here, the distinguishing point is that the issuer and the service provider (acceptor) are
identical for such cards. The closed-system or the limited-purpose cards are generally
used in a small number of well-identified points of sale within a well-identified location
such as corporate/university campus. The multi-purpose card on the other can perform
variety of functions with several vendors viz., credit card, debit card, stored value card,
identification card, repository of personal medical information etc.
While it may not be desirable place any limit on storing monetary value in e-money, it is
expected that e-money could be used to substitute central bank notes and coins at least
partially. However, the importance of e-money with respect to regulatory oversight,
restrictions on issuers and their implications for monetary policy is extremely critical
from the point of view of the central bank.

After considering various issues, the Group recommends that multi-purpose e-money
may be permitted to be issued only against payment of full value of central bank money
or against credit only by the banks. The issuance of e-money on credit basis should,
however, be strictly regulated and closely monitored.

It needs to be appreciated that issuers must be under obligation to offer redemption of

their e-money liabilities net of service charges, if so required. From monetary policy
point of view, such redemption requirement is essential in order to preserve unit of
account function of money as also to control money supply in the economy.

With regard to status of issuers of e-money, it may be indicated that there are five reasons
which may warrant banks as the issuers of multi-purpose e-money. These include
attributes of e-money being closure to demand liabilities of the bank, implications of e-
money on velocity of circulation of money and its corresponding impact on monetary
statistics, the option to impose reserve requirement on e-money, the need for closure
monitoring of e-money when these would be issued as credit and the technical security of
e-money. For all these reasons, the Group recommends that only banks should be allowed
to issue multi-purpose e-money. However, single-purpose and limited-purpose e-money
should be allowed to be issued by any entity including banks.

Non-banks should not be permitted to issue multi-purpose e-money. If they are permitted,
they along with banks must conform to seven minimum prudential requirements as laid
down by European Central Bank (ECB) in 1998. These are (i) prudential supervision of
issuers of e-money by the central bank, (ii) solid and transparent legal arrangements
codifying the rights and obligations of issuers, merchants, consumers and the regulators,
(iii) adequate technical, organisational and procedural safeguards to prevent and detect
threats to the security of e-money, (iv) protection against criminal abuse, (v) supplying of
all relevant information to the central bank for the purpose of monetary policy, (vi) legal
obligations to redeem e-money against central bank money at par at the request of the
holder and (vii) the right of the central bank to impose reserve requirement on issuers of
e-money.

E-money could have profound impact on compilation of monetary statistics and money
supply unless regulated prudently. E-money could be issued against cash (i.e., 100 per
cent backed by central bank money paid upfront). Since e-money are close substitutes of
central bank money, these should be explicitly accounted for in monetary statistics. If e-
money is allowed to be issued only by banks, then currency would be substituted with
demand/time liabilities through e-money. In that eventually, issuance of e-money would
be money stock neutral and no change would be required in the definition of money
stock. However, if e-money is issued by entities other than depository institutions (i.e.,
banks), the money creating sector as embedded in compilation of monetary statistics
would need to be broadened.

There could be a situation where residents could use e-money supplied by entities outside
the country for domestic transactions. In that case, monetary aggregates would lose its
predictive power.

It is expected that the proportion of interest bearing liabilities in monetary aggregates

would grow in the event of growing use of e-money which would render them more
unstable, and information content of monetary aggregates would also change.

If e-money is issued on credit, there is a possibility that the issuers may assume a
leveraged position. There is, therefore, a need for continuous monitoring of the behaviour
of issuing authorities for balanced growth of their assets and liabilities, particularly
liabilities arising out of issuance of e-money. For these reasons, the Group recommends
that the central bank should regulate and closely monitor the practice of issuing e-money
on credit.

If consumers prefer to use e-money vis-a-vis currency, then for a given stock of currency,
the money multiplier would go up which would in turn increase the aggregate money
supply in the economy more than what would have been the case without e-money. Also,
with large scale use of e-money, it has been apprehended that central bank's balance sheet
may shrink to such an extent relative to that of the banking sector that it may be unable to
perform its liquidity absorption function on account of non-availability of adequate
volume of assets. Apart from constraining its liquidity management function, relative
shrinkage in balance sheet may also have serious implications regarding loss of
seigniorage revenue for the central bank. As a counter argument, it is maintained that
there should always be a lower bound below which the use of currency notes and coins
should not go down so that there should also be a limit below which reserve money
should not shrink relative to broad money stock.

A review of developments indicate that while considerations of potential benefits of

micro-economic efficiency, extension of banking to urban poor and rural communities
and facilitation of e-governance demand that there should be increasingly private
provision of payment and settlement services in the economy in future, macro-economic
stabilisation policy warrants that there should be a case for public regulation over such
provision. Also, currency uses are characterised by network externalities in that larger the
number of users, larger is the settlement value of the currency concerned implying that
currency could at best be supplied oligopolistically. There are, in fact, the fundamental
reasons for which the "monopoly right" in the issuance of currency should be in the
hands of some public authority, preferably the central bank. Even then, there cannot be
any final judgement on this issue at this point of time. In view of all these considerations,
the Group, therefore, recommends that the RBI should regularly monitor closely all these
developments so that integrity of the financial system is preserved.
The RBI should also periodically review issues relating to legal framework, if any,
technical security and the clearing and settlement arrangements of different e-money
schemes and the practices of various e-money schemes, both in India and abroad, for
preserving integrity of the financial market. On the issue whether entities other than the
central bank could issue independent media of exchanges, the Group feels that such a
possibility is apparently remote in India at this point of time. However, RBI may
continually keep track of these developments for smooth functioning of the financial
market.

Debit Card - A (Credit) Card without Credit Facility

A debit card is suited to those who desire to control spending on shopping within a pre-
fixed budget. The card is therefore more suited for middle income account holers. The
card is issued by the bank and is connected through the ATM. It is thus an electronic card
that one can use as a convenient payment mechanism. Debit cards allow you to spend
only what is in your account and purchases should be kept track of just as if you're
writing a cheque. The card enables you to access your bank deposits for making payment.
It is a deposit access mechanism in which whenever you make a payment through your
card the amount is automatically debited from your account at the point of sale. The debit
card thus combines the benefit of both cash and cheque without our having to carry either
of the two. On the other hand unlike a credit card, debit card transactions give card holder
no grace period. They are an immediate, pay-now deal.

Advantages of Of Debit Cards over Credit Cards

• It is easier to obtain a debit card, as compared to a credit card. In fact if you are an
account holder of the Bank issuing debit cards, you can easily secure a card.
There are no more eligibility criteria.
• You can go for shopping etc. without carrying cash or your cheque book, but only
with your debit card.
• Likewise when travelling abroad, it frees you from carrying a stock of travellers
cheques.>
• Debit cards may be more readily accepted than cheques, as the merchant is
assured of immediate payment.
• If a customer issues a cheque to a shop-keeper, the latter has no recourse to find
out whether the customer has enough balance in his account and whether the
cheque if presented would be honoured or not, but a shopkeeper will not find such
a handicap in case of either a credit card or debit card. In these cases inquiries to
the Card-issuing bank get a quick and categorical response. Hence the shopkeeper
is assured of definite payment in respect of sales effected against either debit or
credit cards.
• If you return merchandise or cancel services paid for with a debit card, the
transaction will be, generally, treated as if it were made with cash or a check.
Customers usually get cash back for on-line purchases; for off-line transactions,
the amount is credited to your account.
 • You have the advantage spending within your means and the problem of
arranging payments at the receipt of the credit card statement is eliminated.
• n case of credit cards, delayed payments are penalized at 30% p.a. rates. This
penalty situation never arises in debit cards.

How does the debit card work?

When you present the card to the salesperson at the payment counter he swipes it through
the reader. The card gets connected to your bank account and you are required to enter the
ATM PIN (password) to make a transaction. The bank debits the account linked to the
card for the value of the purchase of goods or services, cash, fee, charges and the
payment effected by the use of the card (transaction). These transactions are reflected in
the Account Statement of the Accounts that are linked to the card.

Today most of the debit cards are globally valid but can't be used for foreign exchange
payments in Nepal, Bhutan and India. The card can be used till the last working day of
the month indicated on the card, after which it expires. Banks send the renewed card
before the expiry of the old one, with renewal charges.

Types Of Debit Cards

There are two types of debit cards and two types of debit card transactions:

1. Direct Debit Cards allow only "on-line" transactions, also called point-of-sale. An
on-line transaction works like a straight ATM transaction. It is an immediate
electronic transfer of money from your bank account to the merchant's account.
This requires you to enter your Personal Identification Number (PIN) at the store's
terminal. The system checks your account to see if there is enough money to
cover the purchase.
2. A Deferred Debit Card looks similar to a credit card, bearing a Visa or
MasterCard logo, and can be used wherever your card's brand name is displayed.
It is NOT a credit card. Rather, this card allows "off-line" transactions, as well as
on-line. Off-line purchases resemble a credit card transaction. The merchant's
terminal reads your card and creates a debit against your account. However,
instead of debiting your account immediately, the transaction is stored for
processing later -- usually within two to three days. Instead of using a PIN, the
customer signs a receipt as they would with a credit card. Most off-line
transactions are verified immediately to see whether there is enough money in the
account.

Regardless of the type of debit card you have, when you use it, the money is subtracted
from your bank account.

Both MasterCard and Visa International have already witnessed a huge rise in their debit
card bases in the Asia-Pacific region. After 25 years in the region, MasterCard has built
up a credit card base of 80mn, whereas its debit card base, in just four years, has touched
37mn. Visa too, in less than 18 months, built up a base of 48mn debit cards.

[Source - http://www.indiainfoline.com/pefi/news/debi.html]

Debit Cards Available in India

The debit card base in India in March 2000 was already at 3,00,000. Moreover the usage
figures are even more impressive. Seven out of 10 card holders use their card on a regular
basis with the average monthly spend on a debit card was Rs 1,400, which puts total
annual spends at over Rs.5bn.

In India Citibank was the first bank to offer this service to its customer (March '98). The
first market to test this plastic variant was Bangalore. Latter on the concept was
introduced in New Delhi and Mumbai. Other banks that have debit cards in their product
portfolio are HDFC Bank and ICICI Bank and a few Nationalised banks. Debit cards can
be used at the establishment, which displays the sign of the network each of the cards is
linked to, like Visa, Master etc. The card is typically used for low value purchases and is
not as popular as the credit card.

Smart Cards - The New Innovation

Smart cards look like standard plastic cards but are equipped with an embedded
Integrated Circuit (IC) chip. These cards can store information, carry out local processing
on the data stored and can perform complex calculations. Smart cards can store 1,300
times more data than the magnetic strip card (the typical Indian credit card) that stores
200 bits. These cards can store data for more than 10 years, and can be read or written on
more than 1,00,000 times. Smart cards come in two forms: Contact cards, which require a
card reader; and contactless cards, which use radio frequency signals to operate.

A smart card is a 'miniaturised' personal computer (PC), which can be used for a dazzling
array of applications, and also as 'digital' cash. It contains a microprocessor, memory and
tailored software. The software security system used for these cards is almost as
foolproof as those used by nuclear establishments and leading international banks! Smart
cards can manage security procedures using passwords and state-of-the-art encryption
techniques.

Further, identity traits such as digitised photos, signatures and fingerprints being placed
on the card make it fraud-proof. If credit cards did away with muggers, smart cards do
away with credit card fraud.

The innovation of Smart Card dates back to 1975, when the French inventor Roland
Moreno patented a credit-card sized plastic card with a microchip embedded in its top-
left corner. After two decades we now have over a billion such smart cards in use in
banks, airlines, telephones, department stores, road-side vends, healthcare, schools,
national identity cards etc.
Smart cards are a foolproof medium of record which need no back up on paper or a
computer floppy. Smart cards unlike Computer floppies do not get 'corrupted' with heat,
dust and magnetic fields. They are almost totally resilient to dust, high temperature,
humidity and computer viruses.

The quick popularity and acceptability of smart cards induced major Credit Card
providers enter the new bandwagon. Mastercard has acquired Mondex, a French
company, and Visa has acquired the American Digicash, both leading global smart card
issuers. American Express Bank accepts 'Proton' smart cards issued by Banksys,
Belgium.

Advantages of Smart Cards

"Compared to conventional data transmission devices such as magnetic stripe cards,

smart cards offer enhanced security, convenience and economic benefits. In addition,
smart card-based systems are highly configurable to suit individual needs. Finally, multi-
functionality as a payment, application and networking device renders the smart card as
the perfect user interface in a mobile, networked economy. Smart cards incorporate
encryption and authentication technologies that can implement the issuer and user's
requirements for the highest degree of security. Using encryption, data can be securely
transferred via wired and wireless networks. Adds White, "Coupled with biometric
authentication methods which rely on personal physical attributes, smart cards are used in
distributing a government's welfare payments in order to reduce frauds and abuse. Health
care cards allow doctors to access and manage a patient's medical records and insurance
information without compromising privacy."

"Smart cards are cost-effective in the long run as they cut down the cost of keeping paper
records. They also reduce the time spent on updating paper records, and at many places
they could replace human intervention. Contact and contactless toll payment cards
streamline toll collection procedures, reducing labour costs as well as delays caused by
manual systems. Maintenance costs for vending machines, petroleum dispensers, parking
meters and public phones are lowered, while Khaitan feels revenues could increase about
30 percent according to some estimates, due to the convenience of the smart card
payment systems in these machines. A BEST pilot project in Mumbai already uses
contactless smart cards on one of its busiest routes, and contactless cards are also being
used at the Delhi-Noida toll bridge, where the company is using this technology to offer
expressway passes to the bridge. Under the scheme, users of their gold card do not need
to stop at the collection centre to pay toll."

[Source - "Express Computers" IT Business Weekly dated 28.01.2002]

Popularity & Use of Smart Cards in India

At present, India has close to 3.4 million smart card users, a number expected to reach 5
million users by the end of the current fiscal and close to 14.7 million by the end of 2004.
Smart cards are gaining pre-eminence as the ultimate portable and network personal
computers of today. With the growth of e-commerce , card based personal systems will
remain the most common online payment method. Businesses and countries that do not
use these technologies are unlikely to capture global markets. With the availability of
better security technologies and lower costs, smart cards have the potential for use in
many applications such as the banking retail payments, vehicle registration, internet
payments, citizen ID, e-governance, driving license , health records etc. Deployment of
smart card in welfare schemes such as public distribution systems would ensure timely
and efficient benefits to the targetted audience . There is a large local market for smart
cards in India and an integrated approach for widespread deployment of smart cards is
being conjectured with active participation from major user departments , financial
institutions and industry. In this context , and also to ensure interoperability , it is
necessary to define common standards for multi-Application Smart Cards in India.

Application of Smart Card TGechnology by Indian Institutions

[Source: SANDEEP New Delhi published in "The Week" June 21, 1998 edition - Website
-http://www.the-week.com/98june21/biz2.htm]

"The good news is that smart cards have reached India, too. Scooter maker LML, Kanpur,
has evolved a blue-print for change centred on smart cards for its vendors, employees,
distributors, depots and service centres.

"Cards are also used to assign selective access to people in the computer and R&D
centres. The despatch and distribution system at LML is 'smart'. The invoice, complete
with all the details of the consignment, chassis and engine number, colour, and model
number, is stored on a card and sent along with the dispatch truck. LML dealers and
depots all over the country have been equipped with smart card terminals which
effortlessly copy the invoice into their PCs. Only unloading the vehicles takes time. The
dealer acknowledges the receipt on the card itself and the card is sent back with the truck.
At LML's end, the card is 'read' and the delivery is automatically recorded on the
computer. "The paper work is very less now," said Sanjay Kumar, an employee. "A lot of
running around is saved."

"The 'smartisation' of the vendor management system at LML has helped it implement
'just-in-time' materials management. The company receives around 1,000 consignments
every day from its vendors. It would have taken two to three hours for each vendor's
goods to be received by the purchase department sans the cards. Now for smart cards this
takes less than half an hour. "I can do more business in a day now," said Manoj Kumar, a
vendors' representative.

"All 6,000 LML employees have been issued personalised smart cards. All personnel
details and privileges are 'loaded' on the card along with personal and family data, salary,
leave, health insurance, provident fund and ESI records. There is no need for paper files,
smart cards handle cash payments and receipts. No more cash and signatures on
vouchers. The card is used to mark time-in and time-out at the plant and it carries shift
duty details, too. "The plant has become more employee-friendly with the introduction of
electronic attendance, access and canteen coupons," said B. Srinivasan, vice-president,
information technology (IT).

"The company's 60,000 authorised service centres are also being integrated into the
'smart' world. Mobile hand-held terminals are used to collect data about their activities,
which is then loaded on to the computer at regional offices linked to the headquarters'
computer. "In the Indian situation of poor networking and communication, smart cards
provide the only viable solution to just-in-time-related problems," said Srinivasan.

The hand-held terminals capture 50-60 parameters such as number of scooters repaired
on a day, model-wise details of repairs and the number of trained people involved. This
data is processed for inputs to manufacturing and marketing strategy.

"Maruti Udyog, Delhi, has provided a section of the employees with smart cards.
Potentially similar in application to the ones at LML, the smart cards with the car
manufacturer are limited to attendance and access control usage for now. "We required a
foolproof and convenient system for restricting entry in our factory at Gurgaon," said
Pravin Gosain, deputy manager, IT. "Smart cards were the right solution to our needs."

"Godavari Sugar Mills in Bijapur, Karnataka, has implemented a Smart Farmer

programme for sugarcane farmers. This will dramatically improve data management
regarding supplies, payments, crop yield, fertilisers and loans. The interface between the
sugar mill and the farmers has been revolutionised.

"It is this apparent lack of complexity that is facilitating the growing application of smart
cards. A UN agency is using 30,000 of them for rural water resource data management in
villages of four districts in Madhya Pradesh and Andhra Pradesh. This involves
dedicating one smart card for each of the water resources, say a tube-well. The card
would be in the custody of the panchayat and would contain all the details about the tube-
well.

"When the local administration carries out any maintenance work, the card will record
the details through a terminal carried by the technicians. Later the data can be
downloaded at the district headquarters' computer. This will minimise corruption, the
technicians will not be able to file 'work completion' reports without actually doing the
work."

"Smart cards could be issued as national identity cards, driving licences, medical cards,
bank account cards and voter cards. And this would be foolproof; a smart cannot be
fabricated or duplicated.

"However, a 'smarter' world would require a smarter populace with a new mindset to
exploit the potential opportunities thrown open by smart card applications."

Other Indian Initiatives

RBI had earlier set up a pilot project called SMARS (smart rupees) at IIT Powai for
formulating technical specifications for e-purse by issuing guidelines for the Indian banks
to induct smart cards in the banking system to implement various transactions, including
e-purse.

Other cases of smart card usage in India include usage as a driving license in Gujarat, by
BPCL as a PetroCard in conjunction with Schlumberger, as a ration card in Kerala, by
Amul to store details of milk transactions from farmers to the cooperative, and as ID
cards by the Goa and Karnataka governments. Even a church in Bangalore has convinced
members to store their genealogical data onto smart cards.

About 2,00,000 victims of the 1984 Bhopal gas tragedy have been issued smart cards,
which contain their medical history. Doctors can thus access their health data at the touch
of button. In Nayla, a village in Rajasthan, members of the women's co-operative society
have been using smart cards to maintain their milk delivery and payment records.
Sugarcane farmers too use similar cards. In Gujarat, the government issued smart identity
cards to fishermen and their dependents to get rid of pretenders posing as a fisherman's
kin to claim compensation. The cards are also used to identify real fishermen from cross
border infiltrators who pose as fishermen.

"Bank of India launched 'ePurse' in Pune. This was the first time a PSU bank launched a
stored-value payment card. Having taken Pune by storm, this project will be taken
nationwide this year. ICICI Bank and Venture Infotek announced a technology tie-up to
launch the MAHE (Manipal Academy of Higher Education) campus card. The card is a
smart card that enables the students of MAHE to make electronic payment for all
purposes within and around the campus both in Manipal and Mangalore. There is a
similar smart card at the Infosys campus too. A merchant-centric loyalty programme
called 'Anmol'. Through this programme, each retailer can initiate his own loyalty
programme, without making any investment in infrastructure. The loyalty card is be
customised to the retailer's requirements, and he can decide the terms and conditions of
his programme.

"The 'Sneha' smart card programme for micro-collections. For micro-finance, the 'Sneha'
card serves as an electronic passbook to maintain records of all transactions.

"Venture Infotek also launched the BPCL PetroCard, which has been a phenomenal
success because of the ease of paying by card for filling petrol in their vehicles, rather
than paying by cash each time.

"IOCL : IOCL has a set of fuel stations which are COCO (company owned, company
operated), where they have introduced these Contactless Cards for Fuel dispensing .
These cards not only serve as pre paid cards , but also as credit cards for their credit
customers, where the billing take place Monthly. The Front End sales application with
Contactless Smart Card Interface is integrated with Back Office Accounting Application.
The application is a versatile, easy-to-use, 32 bits, complete inventory and accounting
solution for petrol pumps. It maintains the unique type of inventory of petrol pumps and
its online updating of stocks and Customers Accounts.

"SIES IMS: The Online Library Management program for SIES College is developed for
all the students and staff of the college. Students/Staff having this card can avail facility
to receive books, periodicals, CD etc. from the library and also will be given access to the
computer lab. The intention here is that, only valid cardholders will be entitled for the
amenities. Also the library does not have to bother about the books issued, delays in book
retrievals, calculating of penalty points as all the information is stored on to the card as
well as in the database. Also it helps to monitor the usage time of computer and facilities
in the lab."

[Source - "Express Computers" IT Business Weekly dated 28.01.2002]

Growth Prospects - Indian Smart card Market

"According to S Swarn, secretary of the Smart Card Forum of India (SCAFI), the Indian
chip card market, comprising GSM, payphone, driving licenses, banking and loyalty
applications is likely to grow from the current 15 million smart cards to 400 million in the
next few years. These growth rates are based on the assumption that the GSM-SIM cards
subscriber base itself is likely to grow at a CAGR of about 60-80 percent, as stated by the
Cellular Operators Association of India

"What will boost the market further is a slew of e-governance projects on smart cards,
especially in the areas of transport applications and National ID card projects. The
foundation has been laid with some major projects already implemented or underway.

"In the area of driving licenses and vehicle registration, some of the major projects are
Gujarat Vehicle Registration, Maharashtra Vehicle Registration, Chandigarh Driving
License, Madhya Pradesh Driving License & Vehicle Registration projects.

"Some of the smart card projects in the toll collection area are by Maharashtra State Road
Development Corporation, Hubli-Dharwar bypass, Vadodara-Halol bypass and Narmada
toll bridge. As far as the potential in transport applications is concerned, Gujarat has
already issued 1.50 million smart card-based driving licenses, with the potential for over
10 million cards. The Gujarat Vehicle Registration project started in 2001, is operational
in 27 regional transport offices (RTOs), and is issuing approximately five million cards in
the next four years. On the other hand, the Madhya Pradesh Driving License and Vehicle
Registration project has targeted issuing 2.5 million cards in five years. Added to this, the
Ministry of Transport recently issued guidelines regarding issuance of smart card-based
driving licenses, and six states are soon going to invite tenders for the same.

"The recent standardisation of the operating system (OS) for transport applications, called
the Smart Card Operating System for Transport Applications (SCOSTA) will also propel
uniform growth in this market."
["Source Express Computer" - IT Business Weekly - URL - http://www.express-
computer.com/20021014/newsan1.shtml]

Advent of Smart Cards in India - Smart Card Initiative

Project of Ministry of Information Technology

Smart Cards are being deployed worldwide for a variety of applications in both financial
and non-financial sectors. The Government and Government Organizations in many
countries are also coming forward to introduce Smart Cards in their various operations.
With the technological advancements the Smart Cards are becoming cost effective, and it
is becoming feasible to incorporate multiple applications on a single card. The Smart
Card technology is promising to empower e-citizen with a multi-purpose transacting
device in near future.

"Smart cards are gaining pre-eminence as the ultimate portable and network personal
computers of today. With the growth of e-commerce , card based personal systems will
remain the most common online payment method. Businesses and countries that do not
use these technologies are unlikely to capture global markets. With the availability of
better security technologies and lower costs, smart cards have the potential for use in
many applications such as the banking retail payments, vehicle registration, internet
payments, citizen ID, e-governance, driving license , health records etc. Deployment of
smart card in welfare schemes such as public distribution systems would ensure timely
and efficient benefits to the targetted audience .

There is a large local market for smart cards in India and an integrated approach for
widespread deployment of smart cards is being conjectured with active participation from
major user departments , financial institutions and industry. In this context , and also to
ensure interoperability , it is necessary to define common standards for multi-Application
Smart Cards in India.

"It was decided to set up a committee under the Chairmanship of Secretary, MIT to
examine issues related to deployment of smart cards, identify applications, infrastructure
requirements including banking and payment infrastructure and evolve standards to
ensure interoperability. The Committee would examine international best practices and
define the standards for the terminals and the security requirements to eliminate risks of
frauds, as far as possible and thereby ensure widespread adoption of smart cards in all
sectors of the economy. The Committee would also deliberate on the issue of type
approval and identify areas where the local industry can play a major role. . It was
decided to set-up two sub-committees to evolve a comprehensive framework to facilitate
deployment and manufacture of multi-application smart cards in India. The first sub-
committee (Sub-Committee - I) would focus on a common identification system, and
non-financial applications in Government sector. The second sub-committee (Sub-
Committee - II) would focus on Financial and Banking applications in both public and
private sectors, as well as issues pertaining to non-financial, non-Government
applications. The Sub-committee-II would also examine the issues of interoperability and
standards
[source - Website of Ministry of Information Technology]

The main committee and sub-committee have been conducting deliberations. The main
committee had three meetings. The minuts of the meetings can be viewed from the
Ministry's website at URL - http://www.mit.gov.in/smartcard/index.asp.

After publishng the minutes of these meetings the Government have invited suggestions
from interested members ofthe public. These suggestions are to be submitted before 15th
DFecember 2002.

While the project is therefore awaits finalisation, as per informtion gathered the following
proposals have received a concrete shape

Sources in DIT also revealed that while a broad consensus has already emerged during
the October 31, 2002 meeting of the inter-departmental committee on the guidelines that
would determine smart cards operation parameters, the Smart Card Initiative committee
(SCIC) is currently busy sorting out complicated issues like standards and specifications
for smart cards and terminals.

It is also working on cryptography issues, standards for interface and issues related to
interoperability. According to a senior official in DIT, the committee needs to address
these issues in advance in order to ensure that once the project is rolled out vendors do
not start shipping products that are unable to talk to each other.

The inter departmental committee, including RBI, Institute for Development and
Research in Banking Technology (IDRBT), IBA, Election Commission of India, Ministry
of Finance, Indian Railways, Ministry of Surface Transport, Bureau of Indian Standards
and also representatives from the Army, IT industry, smart card forum and IIT also agreed
that all banking and financial application related smart cards need to be secured using
PKI-based system.

However, members of the committee also agreed to the need for setting up a key
managementinfrastructure for non-PKI multi application smart cards. According to
sources, the SCIC has recommended that while PKI enabled Smart Cards should be used
during the initial period, the issue of setting up a key management agency for symmetric
cards should be reviewed later.

Project for Smart Card Implementation in India

[Source - Website of Cyber India Online Ltd ]
[http://www.ciol.com/content/news/trends/102121402.asp]

The RBI, in collaboration with the Department of Information Technology would soon be
launching a pilot project for smart card implementation in India. The e-purse project is
part of the multi-function smart card project under active consideration by the ministry,
wherein a single smart card can be used for a host of applications like driving licenses,
electricity and water bills or even taxes. RBI plans to roll out these services as part of its
financial application based pilot project for smart card implementation in India

RBI has also decided to issue a special directive thereby enabling 22,500 PCOs across the
country to act as multifunctional service delivery points (SDPs). As per the earlier RBI
guidelines, only banks can function as SDPs. However, the decision to amend this rule
was taken keeping in mind the high penetration and accessibility factors of PCOs that is
essential for the success of this roll out. The project is primarily aimed at benefiting the
poorest of the poor

According to V B Taneja, senior director, DIT and director of the smart card project, the
pilot project proposes to upgrade 22,500 PCOs to act as multifunctional service delivery
points (SDPs) having smart cards based payment system and acting as franchises of
various banks. Each PCO booth would be upgraded with a telephone terminal, an Internet
appliance, and two pocket sized e-purse-only terminals.

The respective PCO owners will have accounts with a bank where they will deposit the
cash thus collected, and will be paid a service charge in lieu. Industry sources reveal that
while the price of a 32-KB smart card is around Rs 200, an offline card reader can be cost
around Rs 18,000, depending on individual vendors and systems integrators. While the
cost of upgradation and equipment will also have to be borne by PCO owners, consumer
would need to pay for the one time cost of the card," said Taneja.

According to IT Secretary Rajeev Ratna Shah, the pilot project is expected to launched
across 63 cities in the country by early next year. The e-purse project is part of the multi-
function smart card project under active consideration by the ministry, wherein a single
smart card can be used for a host of applications like driving licenses, electricity and
water bills, or even taxes; and simultaneously can also be used as an e-purse. However,
the pilot project will see only the e-purse function being activated, other utilities like
driving license, or payment of pensions using the same card to trigger off after the
completion of the pilot, circa 2004.

The committee also discussed the ID number schema proposed by a sub-committee under
the chairmanship of Dr Vivek K Agnihotri, Additional Secretary, DAR&PG. Based on the
sub-committee's report, SCIC also recommended that while the ID number should be
non-significant, the issuing office number should definitely be part of the ID number.

Keeping a provision for 9999 centers, the SCIC also decided to have a 12-digit ID
number with 4 digits for issuing office number and 8 digits for person's ID. This,
according to a committee member, is also aimed at reducing the ID number size from 16
to 12 digits. Other information like place of birth, state or village code will be kept as
fields of record. The committee also suggested that ID cards should be issued after
authorization from a separate authorization center, which could be based on the place of
birth.
The committee has also suggested that the smart card reader should be an offline. This,
will help bypass the capital investment that an online device would entail. It would have
two slots-one for the user's smart card, and the other for the owner's smart card. The
SCIC estimates that an average of 50 such cards would be issued per SDP-a total
issuance of 1,125,000 cards during the pilot. SCIC has also recommended that two types
of interoperable cards with PKI-full function debit (e-purse, direct debit and ATM) and e-
Purse-only cards be deployed for the project.

Talking about back-end requirements for such an implementation, managing director of

Smart Chip and a member of the SCIC Sanjeev Shriya said, "It could be anything-from
Oracle / DB2 or UNIX, but they would be platform-agnostic. Ministry sources also
inform that interoperable interfaces will be used for financial and multiple applications,
EMV for debit, CEPS for e-purse and global platform for post-issuance will be
demonstrated in the project.

The project also aims to use biometrics based PKI and PSTN lines for dial up access,
DSL based broadband internet access, wireless internet access using variants of
GSM/CDMA and WLL, leased lines, ISDN and V-SAT links, among others.

According to Shah, the total duration of the trial run or the pilot would be 11 months-
consisting of one month for deployment of network and back-end systems, three months
for proof-of-concept phase on smart card based payment systems and remaining seven
months for the deployment phase. While the committee has recommended that the
deployment phase should be completed by the end of FY 2002-03, sources in the ministry
point out that a project of such magnitude may suffer several unforeseen snags, and
specific details like the roll out time may change drastically.

The final shape of the project will be announced soon. "The outline of the project and the
reports of the various smart card committee meetings have been posted on the ministry of
information technology website for suggestions from the smart card industry and the
masses. Let us evaluate these suggestions first-and if necessary incorporate these
suggestions-only then will we be in a position to formally announce it," (Mr.Taneja,
Secretary, DIT).
A case study

Project: 3 -Module: 1 - Internet Banking by ICICI Bank Ltd

A Success Story
(by MS. KG Lakshmi, PG Student, IIPM, Mumbai)

Table of Contents

1. Module: 1 - Introduction
2. Module: 2 - About ICICI Bank Ltd.
3. Module: 3 - Advent of Technology Usage by Banks in India
4. Module: 4 - ICICI Infotech Services Private Ltd
5. Module: 5 - Advent of Internet Banking
6. Module: 6 - Advent of Internet Banking in India
7. Module: 7 - - Internet Banking by ICICI Bank Ltd. - Personal
Banking

8. Module: 8 - - Internet Banking by ICICI Bank Ltd. - Corporate

Internet Banking
Module: 1 - Introduction - Page: 1 of 1

The Focus - A Symbol of New India

An organisation functions as an integral part of a system or a group. It

has to accept the discipline and regulatory ethics of the system/group. It
has also to compete within the group and strive to excel in its
performance. An organisation also operates with in a social, economic
and political environment. It has to understand and co-relate to the
opportunities provided and threats emanating from the environment.
The miracle progress of ICICI Bank Ltd. within a short time of its onset
can be better understood through a focus of these two factors.

ICICI Bank is a symbol of the post reform era of Indian Banking. It

represents the thrust and dynamism of the new Indian mind. Technology
driven banking and product diversification to maintain competitiveness
and to ensure customer delight are the new mantra of today's globalised
business. ICICI Bank, in this respect, represents the synergy of
intellectual assets backed by technology support. The cream of the
officers of ICICI is young and dynamic professionally qualified
executives dedicated to the betterment of the organisation. The example
 of ICICI needs to be followed extensively by others members of the
banking community.

The phenomenal business growth and product diversification leading to ascending the
lofty position of No.2 in the Indian Banking Scenario achieved by ICICI Bank Ltd.,
within a decade of its incorporation overtaking nationalised banks that are established and
operating for about a century in the country can be termed as a banking miracle. This
miracle has been made possible due to -

• Advent of liberalised banking regime in India after the Banking & Financial
sector reforms.
• Use of technology in every sphere of banking operations by the Bank from the
very beginning to provide for the highest per-employee business turnover and
profitability.

This article studies in depth the provision of Internet Banking by ICICI Bank Ltd. to an
extent unsurpassed by any other domestic banks in India. But to understand this
phenomena it is necessary to study the structure and environment under which ICICI
Bank Ltd. came to be established and the new policy ambience under which Indian Banks
accepted wholesale computerisation of their operations within the individual
branch/office, inter-branch/inter-office operations and inter-bank operations since the
middle of Nineties. While other banks are still in the middle of this process shifting from
manual to the new order, ICICI is born and bred in the new spirit of today's globalised
technology driven banking.

The face of Indian Banking underwent revolutionary changes with the advent of
Financial and Banking Sector Reforms initiated since 1992. The era of controlled and
directed banking was replaced by deregulated banking institutions competing among
themselves and trying hard to woo the customer. The reforms in India, in the first phase
has provided necessary platform to the banking sector to operate on the basis of
operational flexibility and functional autonomy, thereby enhancing efficiency,
productivity and profitability. The reforms brought out structural changes in the financial
sector, eased external constraints in their working, introduced transparency in reporting
procedures, restructuring and recapitalisation of banks and have increased the
competitive element in the market.

Module: 2 - About ICICI Bank Limited (Page: 1 of 1)

As part of the process of creating competitiveness in the banking industry a number of

new private-sector banks (popularly called the 'New Private Sector Banks') were licensed
from 1994 to commence banking operations and foreign banks operating in India were
permitted to expand their branch network. The new private sector banks opened in this
context commenced their operations organised on global standards investing high
technology replacing manual labour in all their operations. As per the new licensing
policy UTI Bank was the first new private bank to come into operation in 1994.
Subsequently in the same year ICICI Bank Ltd. was established. The Bank was registered
as banking company on January 5, 1994 and received its banking license from the
Reserve Bank of India on May 17, 1994. The Bank was promoted by ICICI Ltd.
(Industrial Credit Investment Corporation of India), an all India Financial Institution as
its subsidiary. ICICI Bank Ltd. registered phenomenal growth from its inception in all
spheres.

The Bank raised its IPO (initial public offer) in 1998, resulting in the reduction of the
stake of ICICI Ltd. in its subsidiary to 46%. In the year 2000 the bank made equity
offering in the form of ADRs listed on the NYSE. ICICI Bank's acquisition of Bank of
Madura Limited in an all-stock amalgamation in fiscal 2001 further improved its
coverage of branches in the South, while secondary market sales by ICICI to institutional
investors in fiscal 2001 and fiscal 2002 augmented its capital. As at 31.03.2003 its
Capital stands at Rs.962.66 crore and Reserves at Rs.6320.65 crore.

Amongst the Indian Banks today ICICI employs the minimum workforce. Its per
employee business turn over is the highest at Rs.8.87 Crores (per employee aggregate
assets consisting of advances + investments), while for SBI the largest amongst banks in
India, it is about Rs.2.17 Crores.

ICICI Bank Ltd. initiated its operations in 1994 fully computerised and was able to
diversify its banking products widely to meet the different needs of each customer, as
also different needs of different customers. It has computerised all customer operations
and introduced Internet Banking both in respect of personal banking products and
corporate banking products at par with such foreign banks like HSBC, Citibank or
Standard Chartered within the shortest span of time. It ranks No.1 or No.2 in almost all
parameters like extension of retail credit, Internet banking, product diversification etc. It
extensively meets the criteria to be eligible to be called a Universal Bank.

About ICICI Ltd. (Industrial Credit and Investment Corporation of India)

ICICI was formed in 1955 as a developmental all India financial Institution at the
initiative of the World Bank, the Government of India and representatives of Indian
industry for providing medium-term and long-term project financing to Indian
businesses. In the 1990s, ICICI transformed its business from a development financial
institution offering only project finance to a diversified financial services group offering a
wide variety of products and services, both directly and through a number of subsidiaries
and affiliates viz. ICICI Bank, ICICI Securities, ICICI Prudential Life Insurance
Company, ICICI Lombard General Insurance Company and ICICI Venture. In 1999,
ICICI become the first Indian company and the first bank or financial institution from
non-Japan Asia to be listed on the NYSE.
In October 2001, the Boards of Directors of ICICI and ICICI Bank approved the merger
of ICICI and two of its wholly owned retail finance subsidiaries, ICICI Personal
Financial Services Limited and ICICI Capital Services Limited, with ICICI Bank. The
merger was approved by shareholders of ICICI and ICICI Bank in January 2002, by the
High Court of Gujarat at Ahmedabad in March 2002 and by the High Court of Judicature
at Mumbai and the Reserve Bank of India in April 2002. Consequent to the merger, the
ICICI group's financing and banking operations, both wholesale and retail, have been
integrated in a single entity. This resulted in an optimal strategic alternative for all
entities, and created an excellent legal structure for the ICICI group's universal banking
strategy.

ICICI Bank grew leaps and bounds ever since the IPO in 1998 as well as the NYSE
listing in 2000. The number of customers grew in large numbers, while the merger with
Bank of Madura added further strength. The rapid growth and development witnessed by
the Bank within a decade has made ICICI Bank now ranked as the second-largest bank in
the country in addition to being the largest amongst the private sector banks. As at the end
of last financial year March, 2003 its total assets were of about Rs.106,812 crore with a
network of about 450 branches/ offices and about 1700 ATMs.

Today ICICI Bank is ranked next to State Bank of India. While SBI has 9028 branches
ICICI bank's network is only 450 branches. While SBI has over two lakh employees,
ICICI Bank has on its rolls less than 10000 persons. Over a total asset base of Rs.310,000
Crore (consisting of Deposits Rs.296,123 crores + Advances Rs.137,758 crore) SBI as at
31.03.2003 has posted a net profit of Rs.3105 Crore. ICICI corresponding figures are
asset base Rs.1,01,448 crore (Deposits Rs.48,169.30 crore + Advances Rs.53,279.41
crore) and net profit Rs.1206 Crores. Within the first decade of its operation ICICI Bank
has overtaken all the nationalised banks in business turnover and working results.

ICICI Bank at present offers a wide range of banking products and financial services to
corporate and retail customers through a variety of delivery channels and through its
specialised subsidiaries and affiliates in the areas of investment banking, life and non-life
insurance, venture capital, asset management and information technology. ICICI Bank's
equity shares are listed in India on stock exchanges at Chennai, Delhi, Kolkata and
Vadodara, the Stock Exchange, Mumbai (BSE) and the National Stock Exchange of India
Limited (NSE) and its American Depositary Receipts (ADRs) are listed on the New York
Stock Exchange (NYSE).

Module: 3 - Advent of Technology Usage by Banks in India

(page: 1 of 1

We have been witnessing since about the early Sixties the phenomenon of widespread use
of computers and communication technology in most of the industrialised and emerging
market economies. This has resulted in faster funds movement across nations and
borders. Computerisation became popular in the western countries right from the Sixties.
Main Frames were extensively used both by the Public Institutions and Major Private
Organizations. In the Seventies Mini Computers became popular and Personal Computers
in early Eighties, followed by introduction of several software products in high level
languages and simultaneous advancement in networking technology. This enabled the use
of personal computers extensively in offices & commercial organisations for processing
different kinds of data.

However in India organised Trade Unions in those years were against introduction of
computers in Public Offices. In India was restricted to major scientific research
organizations and technical institutes and defence organizations. Indian Railways
accepted computerisation for operational efficiency (not commercial services for
customer benefit).

Globalisation of economies and financial liberalisation within the economies have opened
new opportunities of growth for techno-savvy institutions, while for the others these have
resulted in shrinkage of revenues. The use of IT in the banking industry in our country
has however been limited upto the end of the Nineties and has, as a result, restricted our
presence in international operations. Even in critical spheres such as those involving
funds transfer, and MIS based decision making, there has been little evidence of proactive
movement towards wholesale computerisation.

Rapid development of business and industry brought manual operations of data a

saturation point. This acted as overload on the growing banking operations. Government
owned banks in general found the "house-keeping" unmanageable. Several heads of
accounts, in particular inter-bank clearing and inter-branch reconciliation of accounts
went totally out of control.

Low productivity pushed cost of wages high and employees realised that unless they
agreed for computerisation further improvement in their wage structure was not possible.

In the year 1993, the Employees' Unions of Banks signed an agreement with Bank
Managements under the auspices of Indian Banks' Association (IBA). This agreement
was a major break through in the introduction of computerised applications and
development of communication networks in Banks. The first initiatives in the area of
bank computerisation, however, stemmed out of the landmark report of the two
committees headed by the former Governor of the Reserve Bank of India
Dr.C.Rangarajan. Both the reports had strongly recommended computerisation of
banking operations at various levels and suggested appropriate architecture.

The first of these Committees, viz. the Committee on the Mechanization of the Banking
Industry (1984) was set up for the first time to suggest a model for mechanisation of bank
branches, regional / controlling offices and Head Office necessitated by the explosive
growth in the geographical spread of banking following nationalization of banks in 1969.
In the first phase of computerisation spanning the five years ending 1989, banks in India
had installed 4776 ALPMs at the branch level, 233 mini computers at the
Regional/Controlling office levels and trained over 2000 programmers/systems personnel
and over 12000 Data Entry Terminal Operators. The Reserve Bank too had embarked
upon an ambitious program to bring about state-of-the-art technology in the clearing
process and had introduced MICR clearing at 4 centres and computerized clearing
settlement at 9 centres.

Against this backdrop, the Committee on Computerisation in Banks was set up once
again under Dr.Rangarajan's Chairmanship to draw up a perspective plan for
computerisation in banks. In its report submitted in 1989, the Committee acknowledged
the gains of the initial efforts and sought to move away from the stand-alone dedicated
systems to an on-line transaction-processing environment in branch banking. It
recommended that the thrust of bank computerisation for the following 5 years should be
to fully computerise the operations at both the front and back offices of large branches
then numbering around 2500.

The Reserve Bank continued to be involved in shaping the technology vision of the
banking system. Following the recommendations of the Committee on Financial Sector
Reforms, (which is popularly known as the second Narasimham committee), a
Committee on Technology Upgradation was set up by the RBI for the Banking Sector in
1994. This committee has representation from banks, Government, technical institutions
and the RBI. Among other things, this committee looked into issues relating to

1. Encryption of Public Switching Telephone Network (PSTN) lines

2. Admission of electronic files as evidence
3. Record keeping
4. Modalities for a satellite based WAN for banks and financial institutions with the
necessary security systems by banks and other financial institutions, to ultimately
develop a sound and an efficient payments system.
5. Methods by which technological upgradation in banks and financial institutions
could be effected and in the context study the feasibility of establishment of
standards, designing payments system backbone and standards relating to security
levels, messages and smart cards.

By now most of these recommendations have already been implemented. The Committee
realised the urgent need for training, research and development activities in the Banking
Technology area. Banks and Financial Institutions started setting up Technology based
training centres and colleges. However, a need was felt for an apex level Institute, which
could be a Think-tank and Brain Trust for Banking Technology. RBI thus established the
IT services-cum-training centre at Hyderabad, the IDRBT (Institute for Development &
Research in Banking Technology).

The RBI Report on Banking published on 15.11.2001 starts with the opening narration-
"In recent years, the banking industry has been undergoing rapid changes, reflecting a
number of underlying developments. The most significant has been advances in
communication and information technology, which have accelerated and broadened the
dissemination of financial information while lowering the costs of many financial
activities. A second key impetus for change has been the increasing competition among a
broad range of domestic and foreign institutions in providing banking and related
financial services. Third, financial activity has become larger relative to overall economic
activity in most economies. This has meant that any disruption of the financial markets or
financial infrastructure has broader economic ramifications than might have been the case
previously". This explains the all round use of information technology in banking
operations and customer service i.e. both backend and front-end. Computerisation brings
transparency, improves customer care and customer-service tremendously and reduces
substantially scope for corruption or extending undue favour to particular constituents
and uneven service to others.

Challenges Faced in Computerisation

Computerisation is expensive and needs huge investment in hardware and software and
subsequent maintenance. The National stock exchange, India's No.1 (first) user in
computerised service has spent Rs.180 Crores, when it was set-up in November 1992 to
enable investors and brokers across the country to trade securities online. It was
considered a huge investment in those days. The rate of obsolescence in respect of both
hardware and software is considerable. New and better products are emerging in the
market, whose use would enable a rival organization to throw a challenge.

Computer crimes are committed widely in the West. India is no less potentially exposed
to this risk, when turnover under Internet banking increases. It is easier to enforce
security of information and accountability of performers in a manual system. But it needs
elaborate steps to incorporate these features in the electronic system.

The structure of legal system is so far based on manual record keeping. It has to provide
for electronic data to be accepted legally as evidence and in contracts.

Indian banking has accepted computerisation since 1993, more out of sheer compulsion
and necessity to cope up increasing overload and incompatibility of the manual system to
sustain further growth. But it is now realised that computerisation provides not only
operational efficiency and speed, but also enables product diversification (like
anywhere/anytime banking) and substantial reduction in cost of service. The British
developed us as a nation of clerks. Today we are more advanced and computerisation will
enable talented and qualified young men/women of our country to secure better careers
and better opportunities to exploit fully the potential in them.

Module: 4 - ICICI Infotech Services Private Ltd

(Page 1 of 1)
Recognising the supreme role of technology in Industry and in particular in financial
institutions, ICICI Ltd. floated a group company, ICICI Infotech Services Ltd. in 1993,
even before incorporating ICICI Bank Ltd. in 1994. ICICI Infotech acts as the IT arm for
the group and its customers.

ICICI Infotech Services Limited, a leading software solutions and services provider based
in India, was established in October 1993. The company presently focuses on software
development & web-enabling businesses, IT enabled services and IT infrastructure,
communications and related services. As on June 30, 2000, the net worth of the company
was Rs 481 million, of which the share capital accounted for Rs 60 million and the
reserves and surplus accounted for Rs 421 million.

ICICI Infotech has already done pioneering work in web solutions, e-commerce and m-
commerce, and this expertise will be utilized to take advantage of emerging market
opportunities. As a result of its IT driven innovations and efficient work processes, ICICI
Infotech was awarded the ISO 9001 and IQ Net certifications by Standards Australia.
ICICI Infotech today employs about 750 professionals, of which about 120 are employed
in the United States.

Module: 5 - Advent of Internet Banking (Page: 1 of 1)

Technology driven or computerised banking services envisage the following areas to be

computerised:

1. Back-end data/transaction processing at the branches/offices. This ensures speedy,

efficiency and elimination of errors.
2. Front-end operations enabling the customers at their option to make use of
technology to put through their transactions from anywhere and at anytime. This
in particular refers to Internet Banking. The customer has the option to call at the
office personally and satisfy his needs, or he may use of ATM for certain services
located at different places of convenience, or he may use the Internet from the
comfort of his own place of stay or from any other point of his mobility to have
his transactions with the branch. Even when he personally calls at the Bank's
counter, he may choose to visit any of the branches of the Bank at any place, even
though he may be having his accounts at a different branch.
3. Branch/office to branch/office of a bank and from branch/office of a bank to other
Financial Institutions transactions are also covered on account of revolution in
telecommunication and creation of inter-connectivity between different
establishments on a global level. RBI within India through INFINET &
BANKNET, and SWIFT at the international level looks after inter-institutional
connectivity. Inter-branch/office connectivity is the responsibility of the particular
banks.

Before discussing about Internet Banking, it is essential to dwell a few words about
Internet and World Wide Web. Internet is a network of networks. It is not a single
network, but a global interconnected network of networks providing free exchange of
information. It implies the most pragmatic use of information technology as medium of
universal communication. It has brought unprecedented changes in society. Spanning the
entire globe the Net has redefined the methods of communication, work, study, education,
interaction, entertainment, health, trade and commerce. It provides interesting services
like e-mail, e-commerce, file retrieval and other Internet tools. The influence of Internet
on every aspect of our life is immense. It has revolutionalised our perception and has
made us all a part of one single "global village". It has brought about the value of
knowledge and intellectual capital as prime assets of multinational corporate business
houses in the new Information Age.

The World Wide Web, which is a part of the Net, is a collection of web pages. It contains
information that can be a combination of text, pictures and hyperlinks. The increasing
popularity of the Net is on account of the World Wide Web. The web allows easy
navigational facility. Clicking on a link can lead us to our destination. Web pages contain
multimedia applications including sound files. Web pages allow user interaction and
subsequent data processing after user intervention and inputting his command or request.
It processes such information/request and flashes back appropriate response to the user on
the screen.

The versatile facilities and opportunities provided by the Internet and World Wide Web
led to the development of electronic commerce. This became possible when the Internet
transformed from the original system of providing static web pages, into interactive two-
way medium thanks to advancement in software technology. Electronic Commerce is a
system, which includes transactions that center on buying and selling goods and services
to directly generate revenue. Electronic commerce builds on the advantages and
structures of traditional commerce by adding the flexibility offered by electronic
networks. E-commerce helps conduct of traditional commerce through new ways of
transferring and processing information, since it is information, which is the heart of
commercial activity.

E-banking and electronically providing financial services are branches of electronic-

commerce. The primary problem faced by both service providers and seekers through the
electronic media at the earlier stages was to ensure security, integrity of the transmitted &
stored data, secrecy and to prevent unscrupulous hackers interfering and manipulating
transactions. They could intercept messages from the electronic media, and get access to
sensitive data like "passwords" and credit card numbers and thereafter cause extensive
hacking of the web-sites. Extensive cases of "computer-crimes" and computer-frauds"
happened at the earlier stage.

But every necessity serves as the mother of new innovation and invention. The problem
was quickly tackled by software engineers developing new devices like Site Security
Firewalls, Filtering Routers, Secured Socket layer, 128-bit encryption environment,
Verisign Digital Certification etc. A firewall is a dedicated system designed to provide a
layer of security between corporate systems and the public Internet. Incoming network
connections can be (selectively or totally) prohibited, making it possible for users to dial
out but impossible for others to dial in. A router can filter packets of information based on
predefined rules. Secured Socket Layer or SSL protocol provides browsers and web-
servers with three important security services - encryption, certificates and message
integrity. Integrity is the mathematical way of checking if the message received by the
browser or server has been tampered with. Encryption solves the risk of unauthorised
persons reading the user's data as it travels around the net. The encrypted data is
scrambled so that unauthorised persons do not understand it even if they access the data.
In electronic transactions the user can encrypt a digest with a private key to create a
digital signature. These innovations cleared the barriers for the fast development of all
facets of electronic commerce.

Internet and World Wide Web came to be extensively used in banking transactions in a
number of ways. This has provided immense benefit to the customers, ensured total
accuracy of transactions. The concept providing services to the customers for 24 hours
per day and 7 days per week (any time, any where banking) became possible and further
without the customer visiting the bank, but remaining at his own place before his desk-
top. Development of specialised software suited for use by banks and financial
institutions became prized options and many new products came into usage. In particular
banks and financial institutions have benefited on three broad areas as under:-

• Hoisting their web site on the word wide web to publish their corporate image on
the global level and furnish detailed information about the products, services they
offer, as also the terms and conditions thereof. If today one wants to know about
some service offered by American Express or Citibank or Standard Chartered
Bank, he need not have to visit these institutions or seek information over the
phone, he can simply surf to their respective web pages on the Internet and in case
he desires to know some additional particulars over and above what has been
stated in the site, he can get the same through e-mail
• Total elimination of manual processing of date in terms of internal routine like
inter-branch reconciliation, monthly salary processing, posting and finalisation of
financial accounts and annual statements consolidating the transactions distributed
at several centres etc. led to labour productivity by leaps and bounds. The tasks
earlier handled by 10000 workers can now be turned out by a mere 500 to a
maximum of 1000 workers. All that the human worker has to do is to input the
primary data from control records to generate vouchers. All subsequent processes
are automated.

>

• Selling products to individual customers (B2C commerce) by banks, insurance

companies, stockbrokers, mutual-funds etc.
• Selling products to Corporate Customers, which may be broadly characterised as
B2B Commerce.

The World Wide Web provided a most convenient means for universal communications.
Banks and Financial Institutions hoisted their web-sites on the web and able to provide
information about their profile, about the key persons in the management, about their
products and services, and rules and terms of service etc. Through this means the
interaction with the clientele is total. No length of newspaper advertisements or other
media publicity can surpass this mode of information transmission, since the sites are
indexed through search directories and even a person who have no inking about the
particular Bank or Institution will be made to visualise the data, when he searches on the
appropriate subject. Thus the web serves as a constant means to introduce the
organisation concerned throughout the entire globe.

A vast organisation employing thousands of persons and operating with a geographical

spread develops enormous internal routine and administrative systems and procedures. At
a single point much of this can be computerised, but the task of inter-linking data of
different geographical units is achieved by linking the network of different
branches/geographical units through an Intranet (also called WAN or Wide Area
Network). An Intranet is a wide area network and works on the same methodology as the
Internet, but it is restricted to specific users or Institutions and external access is not
allowed. The head office or administrative offices are thus linked with the systems of the
branches through Intranet. In this process MIS returns for any branch can be directly
compiled at the administrative office or Head office. This also solves the recurring
problem of reconciliation of inter-branch accounts.

Module: 6 - Advent of Internet Banking in India (Page: 1 of 1)

The Internet has already had a seismic effect on the way the financial services industry
conducts business in the west. It has permanently altered the way customers perceive
value, how value is delivered, and the profitability it can produce. However, coping with
internal and external environmental disturbances, Indian banks earlier before the Nineties
have fell far behind to prepare themselves for this challenge that requires them to
urgently and radically restructure their business model. However considering the
immense potential, Internet Banking will bound to have a profound impact in the coming
years. As per the view of Deepak Gupta of PricewaterhouseCoopers-

"Banking lives on the inadequacies of the system. The floats generated through delays
caused by unforeseen circumstances and unavoidable infrastructure problems have seen
even the least of the efficient banks sail through the worst of the times. But what if all
these inadequacies were to die and that too in a wave. It doesn't take much to recognize
that the Internet has already had a profound effect on the delivery of financial services
and is likely to bring more radical changes. Some years ago, Mary Meeker (Morgan
Stanley Dean Witter's Internet analyst) forecast that financial services would be among
the industries most profoundly affected by the Internet, since the distribution of financial
products doesn't require any physical exchange of goods. The impact is bound to be
higher and tougher for those in India as a slew of disturbances in the internal and external
environment kept them so much preoccupied that they hardly got a chance to prepare
themselves for the challenges of Internet that requires them to urgently and radically
restructure their business model"
(Source: Deepak Gupta, Consultant, PricewaterhouseCoopers - URL:
"http://www.geocities.com/deepakg2000/netbank.html".)

What is Internet Banking?

Internet banking enables a customer to do banking transactions through the bank's

website in the Internet. This is also called virtual banking, or net banking, or anywhere
banking. It is more or less like bringing the bank to your computer, at the place and time
of your choice.

Advantages of Internet Banking

"The advantages of Internet Banking are many. First, there is round-the-clock access. And
second, one can access the bank from anywhere in the world at one's own convenience.
For banks, the operational cost is very low, compared to any other form of banking
distribution channel. Against $1.07 for branch banking, it costs only $0.13 in Internet
banking. It is still cheaper than ATM where the cost is around 0.30 cents. The additional
advantage is that the bank need not invest in infrastructure and staff management." (Mr.
V. Narayanan, - faculty member of the Indian Overseas Bank Staff Training Centre, in his
article "Nuts and bolts of Internet Banking" published in "Business Line" online edition
dated Sunday, July 16, 2000)

Operational Procedure - Requirements for Accessing Internet Banking

Internet access can be done via either the ``Dial-up'' connection or DSL or Cable TV-
modem. The customer desiring to avail this service must have an account with the bank
and have executed the bank's agreement for availing Internet Banking Service as per the
terms and conditions of the bank. The Bank thereafter provides the customer with a
Unique personal password or Personal Identification Number (PIN) and also Financial
software such as MS-Money.

The customer visits the bank's web site (say www.icici.com) on the Internet. Then he
enters the Internet banking section, Infinity on-line, in this case. The personal password
supplied by the bank enables one to access the bank and do any required operation or
transaction. The bank can also be accessed from a cyber Cafe or Internet Cafe and one
need not have to own a P.C with Internet connection.

Type of Transactions or Operations that can be Undertaken

• Account information.
• Funds transfer.
• Online real-time payment for shopping done on Internet.
• Requests and intimations.
• Contacting/communicating with the accounts or relationship manager.
 • Electronic bill payment towards utility bills.

However right now funds- transfer from one bank to another on-line is not possible in
India. Currently, one can transfer funds among the various branches of the same bank.
Optional software like MS-Money helps the customer to download information (historic
and current) of one's account(s) from the bank, and enables one to do some "what if"'
analysis. For instance, if one has a foreign currency term deposit, one may want to know
what could be the savings. All such transactions are encrypted, using sophisticated multi-
layered security architecture, including firewalls and filters. One can be rest assured that
one's transactions are secure and confidential.

Module: 7 - Internet Banking by ICICI Bank Ltd. - Personal Banking - (Page: 1 of 3)

(Data Extracted from ICICI Bank's Website)

Salient Features

• IDC (International Data Corporation) the premier global market intelligence and
advisory firm in the information technology and telecommunications industry
estimates, that the total number of registered users for Internet banking in India is
over two million. But this figure needs to be adjusted for dormant users and
multiple accounts (a user having accounts with more than one bank). India has a
little less than a million active Internet banking users. And though this is just
0.096 percent of the total population, it represents 15 percent of the India's
Internet user population. Thus indicating that the concept of Internet banking is
surely catching on.
• ICICI was the first bank to initiate the Internet banking revolution in India as
early as 1997 under the brand name 'Infinity'.
• that ICICI Bank's Internet banking users are over 65 percent of all Internet
banking customers in India
• ICICI Bank kicked off online banking way back in 1996 and a host of other banks
soon followed suit. But even for the Internet as a whole, 1996 to 1998 marked the
adoption phase, while usage increased only in 1999-due to lower ISP online
charges, increased PC penetration and a tech-friendly atmosphere. To quote
Mr.Anup Bagchi, head, Internet Banking, ICICI Bank, "We had launched the
Internet banking service even before the RBI had formulated its guidelines.
Fortunately, as it was a comparatively new concept, the regulating authorities
were extremely co-operative with us."
• ICICI Bank has been announced as the 'Best Consumer Internet Bank in India' by
Global Finance magazine, organizer of the World's Best Internet Bank Awards
2003. In addition, it has been announced as the 'Best-Integrated Consumer Bank
Site in the Asia /Pacific Region'.
• As per the statement of Ms. Chanda Kochhar, Executive Director, ICICI Bank,
"We are happy to be recognized for our efforts in Internet banking. Through
Internet banking we have endeavoured to provide comprehensive and anytime
banking facilities to our customers to enhance their overall banking experience.
 This has led to our registered internet banking base increasing to 4 million
customers and over 10% of our banking transactions happening online."
• ICICI Bank pioneered Internet banking in India and today has the largest number
of retail customers on the net. ICICI Bank has been following a multi-channel
multi-product retail strategy with Internet banking being an integral channel of
customer interaction.
• The Bank services a growing customer base of more than 7 million customers and
6 million bondholder accounts through a multi-channel access network which
includes about 450 branches, 1690 ATMs, call centres and Internet banking
• Costs of banking service through the Internet amount to a fraction of the costs
through conventional methods. Industry estimates assume teller cost at Re 1 per
transaction, ATM transaction costs at Re 0.45, phone banking at Re 0.35, debit
cards at Re 0.20 and Internet banking at Re 0.10 per transaction.
• Technology & Vendor Service offering - Infosys & ICICI Infotech
• Software Brand Name - "Infinity"

Module: 7(contd) - Internet Banking by ICICI Bank Ltd. - Personal Banking (Page: 2 of
3)

Allied Services - Mobile Banking

With ICICI Bank, Banking is no longer what it used to be. ICICI Bank offers Mobile
Banking facility to all its Bank and Credit Card customers. ICICI Bank Mobile Banking
enables the customer to bank while being on the move.

ICICI Bank Mobile Banking can be divided into two broad categories of facilities:

• Alert facility: ICICI Bank Mobile Banking Alerts facility keeps the customer
informed about the significant transactions in his Accounts. It keeps him updated
wherever he goes.
• Request facility:ICICI Bank Mobile Banking Requests facility enables you to
query for your account balance

The Customer can subscribe to Mobile Banking facility by logging to ICICI Bank
website to avail the Convenience of round the clock “BANKING AT HIS FINGER TIPS”

ICICI Bank 24 Hours ATM

ICICI Bank's 24 Hour ATM network is one of the largest and most widespread ATM
Network in India. The ATMs are located in commercial areas, residential localities, major
petrol pumps, airports, near railway stations and other places which are conveniently
accessible to customers. ICICI Bank ATMs features user-friendly graphic screens with
easy to follow instructions. The Bank has introduced ATMs, which interact with
customers in their local language for increased convenience.
Following are the features available on our ATMs, which can be accessed from anywhere
at anytime.

• Cash Withdrawal:Customer can withdraw upto Rs.15,000/- per day from his
account. Fast Cash option provides the facility of withdrawing prefixed amounts.
Ultra Fast Cash option allows the customer to withdraw Rs.3000/- in one shot.
• Balance Enquiry:The customer to know his ledger balance and available balance.
• Mini Statement: He can get a printout of his last 8 transactions and his current
balance
• Deposit Cash / Cheques:Available at all full function ATMs, Customers can
deposit both cash and cheques. Cash deposited in ATMs will be credited to the
account on the same day (provided cash is deposited before the clearing) and
cheques are sent for clearing on the next working day.
• Funds Transfer:Transfer funds from one account to another linked account in the
same branch.
• PIN Change:Change the Personal Identification Number (PIN) of ATM or Debit
card
• Payment:The latest feature of our ATMs, this functionality can be used for
payment of bills, making donations to temples / trusts, buying internet packs,
airtime recharges for prepaid mobile phones and much more.
• Others:The customer can request for a checkbook from the ATMs and the
concerned branch will dispatch it such that it reaches him within 10 working days.

Online Shopping Mail Service

Internet customers can avail of online shopping mall services through the Bank’s partner
shopping sites using their Internet

Banking User ID and Transaction Password

The Bank offers

• Tie-ups with over 40 major shopping sites offering online shopping

• A safe mode of payment ensuring highest security online.

Steps to avail the service

• Visit the Online Shopping Site

• Make your desired purchases
• Pay using ICICIBank.com, Internet Banking Option of ICICI Bank
• You will be asked to enter your Internet Banking User ID and Login Password
• Select the ICICI Bank account using which you desire to pay
• Enter your Transaction Password
• Your selected account will be debited by the amount of purchases made
You will receive the delivery of goods / services bought in due course as per the delivery
norms of the Service Provider

Bill Payment Facility through Internet Banking

• Using ICICI Bank Bill Pay is the easiest way to manage bills. Bills can be paid
anytime, anywhere, for free.
• Customer can pay his regular monthly bills (telephone, electricity, mobile phone,
insurance etc.) right here - from his desktop.
• No more missed deadlines, no more loss of interest – the customer can schedule
his bills in advance, avoid missing the bill deadlines as well as earn extra interest
on his money.
• Customer can track the payment history - all his payments to a biller is stored
automatically for his future reference.
• For certain billers, he can even view the bill online. So no more hunting around to
find the right amount to be paid.
• He can use your ICICI Bank Credit Card to pay bills for certain other billers.
• The Bank also has a programme to launch functionalities like auto scheduler and
bill alerts - no more remembering trivial bill details. We'll keep you posted on this

Products and Services – Online Share Trading

A product for every need: ICICIdirect.com is the most comprehensive website, which
allows the Customer to invest in shares, mutual funds and other financial products.
Simply put we offer the Customer a product for every investment need

Trading in shares:

ICICIdirect.com offers the customer various options while trading in shares

Cash Trading:

This is a delivery based trading system, which is generally done with the intention of
taking delivery of shares or monies

Margin Trading:

The customer can also do an intra-settlement trading upto 4 times the customer’s
available funds, wherein the customer take long buy/ short sell positions in stocks with
the intention of squaring off the position within the same settlement cycle.

Spot Trading:

When the customer are looking at an immediate liquidity option, 'Cash on Spot' may
work the best for the Customer, On selling shares through "cash on spot", money is
credited to the customer’s bank a/c the same evening. This money can then be withdrawn
from any of ICIC Bank ATMs.

BTST:

Buy Today Sell Tomorrow (BTST ) is a facility that allows the Customer to sell shares
even one day after the buy order date, without the Customer having to wait for the receipt
of shares into the customer’s demat account.

CallNTrade® :

CallNTrade® allows the customer to call on a local number in the customer’s city & trade
on the telephone through our Customer Service Executives. This facility is currently
available in over 11 major states across India.

Trading on NSE/BSE:

Through ICICIdirect.com, the customer can trade on NSE as well as BSE.

Market Order:

The Customer could trade by placing market orders during market hours that allows the
Customer to trade at the best obtainable price in the market at the time of execution of the
order.

Limit Order:

Allows the customer to place a buy/sell order at a price defined by the customer. The
execution can happen at a price more favorable than the price, which is defined by the
customer, limit orders can be placed by the customer during holidays & non-market hours
too.

Investing in Mutual fund:

ICICIdirect.com brings the customer the same convenience while investing in Mutual
funds also- Hassle free and Paperless Investing. With the inclusion of Birla Sun Life MF
and Sundaram MF, the customer can now invest on-line in 7 mutual Funds through
ICICIdirect.com. Prudential ICICI, Zurich, JM Mutual, Alliance and Franklin Templeton
are the other MFs available for investment. The customer can invest in mutual funds
without the hassles of filling application forms or any other paperwork. The customer
needs no signatures or proof of identity for investing. Once the customer places a request
for investing in a particular fund, there are no manual processes involved. The customer’s
bank funds are automatically debited or credited while simultaneously crediting or
debiting the customer’s unit holdings. The Customer also gets control over the customer’s
investments with online order confirmations and order status tracking. Get to know the
performance of the customer’s investments through online updation of MF portfolio with
current NAV.

ICICIdirect.com offers the Customer various options while investing in Mutual Funds:

Purchase:

The customer may invest/purchase Prudential ICICI, Zurich, JM Mutual, Alliance,

Franklin Templeton, Birla Sun Life MF, Sundaram MF, IL&FS MF and IDBI Principal
without the hassles of filling application forms

Redemption:

In addition to giving hassle-free paperless redemption, ICICIdirect.com offers faster

liquidity. The customer can redeem the mutual fund units through ICICIdirect.com. The
money will be credited to the customer’s bank account automatically 3 days after the
order placement date

Switch: To suit the customer’s changing needs:

The customer may wish to shift monies between different schemes. The customer can
switch the customer’s monies online from one scheme to another in the same fund family
without any hassles.

Systematic Investment plans (SIP):

SIP allows the customer to invest a certain sum of money over a period of time
periodically. Just fill in the investment amount, the period of investment and the
frequency of investing and submit. ICICIdirect.com will do the rest for the customer
automatically investing periodically for The Customer

Systematic withdrawal plan:

This allows the customer to withdraw a certain sum of money over a period of time
periodically

Transfer-i:

The customer can convert the customer's existing Mutual funds into electronic mode
through a transfer-in request.

Module: 7(contd) - Internet Banking by ICICI Bank Ltd. - Personal Banking

(Page: 3 of 3)

Trade In Derivatives - Futures

Through ICICIdirect.com, The Customer can now trade in index and stock futures on the
NSE. In futures trading, the Customer can take buy/sell positions in index or stock(s)
contracts having a longer contract period of up to 3 months. Trading in FUTURES is
simple! If, during the course of the contract life, the price moves in the customer’s favour
(i.e. rises in case The Customer has a buy position or falls in case the Customer has a sell
position), The Customer makes a profit. Presently only selected stocks, which meet the
criteria on liquidity and volume, have been enabled for futures trading.

Calculate Index and Know the Customer’s Margin

These are tools to help the customer in calculating the customer’s margin requirements
and also the index & stock price movements. The ICICIDIRECT UNIVERSITY on the
HOME page is a comprehensive guide on futures and options trading.

OPTIONS

An option is a contract, which gives the buyer the right to buy or sell shares at a specific
price, on or before a specific date. For this, the buyer has to pay to the seller some money,
which is called premium. There is no obligation on the buyer to complete the transaction
if the price is not favorable to him. To take the buy/sell position on index/stock options,
the customer have to place certain % of order value as margin. With options trading, the
customer can leverage on the customer’s trading limit by taking buy/sell positions much
more than what the customer could have taken in cash segment.

The Buyer of a Call Option has the Right but not the Obligation to Purchase the
Underlying Asset at the specified strike price by paying a premium whereas the Seller of
the Call has the obligation of selling the Underlying Asset at the specified Strike price

The Buyer of a Put Option has the Right but not the Obligation to Sell the Underlying
Asset at the specified strike price by paying a premium whereas the Seller of the Put has
the obligation of Buying the Underlying Asset at the specified Strike price.

By paying lesser amount of premium, The customer can create positions under OPTIONS
and take advantage of more trading opportunities.

IPOs Online

The customer could also invest in Initial Public Offers (IPOs) online without going
through the hassles of filling ANY application form/ paperwork. Get in-depth analyses of
new IPOs issues (Initial Public Offerings) which are about to hit the market and analysis
on these. IPO calendar, recent IPO listings, prospectus/offer documents, and IPO analysis
are few of the features, which help the customer, keep on top of the IPO markets.

Content Features
There are a host of features on ICICIdirect.com that shall help the customer make
informed investment decisions

• The Bank provides the customer with the indices of major world market nifty
futures and ADR prices daily share prices of all Scrips, monthly and yearly
high/lows etc through Market Watch.
• Get breaking new from CNBC and Reuters. Catch a glimpse of News Headlines
through our scrolling Direct News Headlines

Direct News Headlines.

• Get a snapshot of the latest developments in the markets through the day using
Market Commentary. The customer can get week snapshot also. Use Pick of the
week, which focuses on fundamental stocks with sound prospects.
• Catch interviews, reactions and comments from industry leaders.
• Equip the customer with our barometers.Market Barometer gives the customer in-
depth information of the weightages of shares on Nifty and Sensex. Get a glimpse
of the performance of various industry sectors through Industry Barometer.
• Direct Technical Charts offer interactive charting with advanced indicators. Get a
bird's eye view of over 5000 companies at a single click using Company
Snapshot. Glance through analyst recommendations using Multex Global
Estimate.
• In case, the customer are not too comfortable with share trading, try our Learning
Centre, which is a tutorial on investments and My Research, that helps the
customer to research a stock better.

Personal Finance:

Use our Personal Finance section and get hold of tools that can help the customer plan his
investments, retirement, tax etc. Analyse the customer’s risk profile and get a suitable
investment portfolio plan using Asset Allocator.

Customer Service Features

• With 'ICICIdirect Customer Tools & Updates' The customer can trouble shoot all
the customer’s problems online
• Address the customer’s trading queries on-line through "Easy Mail". The
Customer can view and change the customer’s profile or password on-line.
• Get details of ICICI centers, our sales and service offices, across India through
branch locator
• View the customer’s Account Statement and Bill Summary of his transactions
online using bills & accounts.
• View the customer’s Digital Contract Notes instantly
• Give the customer’s viewpoint through Opinion Polls online.

The ICICIdirect Advantages

A Unique 3-in-1 account that gives the customer

Convenience

The 3-in-1 account integrates the customer’s banking, broking and demat accounts. This
enables The Customer to trade in shares without going through the hassles of tracking
settlement cycles, writing cheques and Transfer Instructions, chasing the customer’s
broker for cheques or Transfer Instructions etc.

Speed:

The customer can now get the latest quotes of Scrips on ICICIdirect.com and place an
order almost instantly.

Control:

The Customer can be assured that the Customer have in fact placed an order at the price
The Customer always wanted to, but may not have been able to do so till now. Thereby
giving the Customer control over the customer’s own trades.

Independence:

Instead of transferring monies to a broker's pool or towards deposits, the customer can
manage his own demat and bank accounts when he trades through ICICIdirect.com

Trust:

ICICIdirect.com comes to the customer from ICICI, the organisation trusted by millions
of Indians.

Charity

How often have the customer wanted to help the world's poor but have not known quite
where and how? ICICIcommunities brings The Customer a secure and trusted way to
reach out to the millions of economically & socially challenged citizens of India and help
change their live

Donate, Shop, and Volunteer. The Customer chooses how he would like to contribute!
ICICIcommunities will ensure that the customer’s contribution reaches those that the
customer feels need his care and concern. A baby girl in danger of dying at birth. A child
who needs to learn the 3Rs. A young mother who needs a livelihood. A poor artisan in
need of customers...The customer have the choice to help change lives NOW! !

Module: 8 - ICICI Bank - Corporate Internet Bankingg

(Page: 1 of 3)
The service can be accessed by a Corporate after submitting a duly filled in application
form. In case the corporate desires to effect fund transfers through CIB, the form needs to
be accompanied by a Board Resolution. The form is available at all the ICICI Bank
branches.

Account Information: The complete database that ICICI Bank has about your company is
available at your terminal. You can access online all your relationship with the Bank, like
account details, deposits, etc. You view the current balance and the day’s transaction in
your account at any of the ICICI Bank location. You can also download the account
statement as an Excel or text file.

The database provides you:

• Current balance in your account on real-time basis

• Day’s transactions in the account
• Details of cash credit limit, drawing power, amount utilised, etc

Downloading of account statements as an Excel or text file. The statements can be

integrated with your ERP system for auto-reconciliation

Banking at your convenienc: You can access the account at any time and from any place.
The facility enables you to effect online fund transfers from your account to any party’s
account in ICICI Bank.

Customise the product: The product takes care of requirements based on your needs. It
can be set in such a way that based on the user profile, only certain screens are accessible.
Similarly, the product also allows setting the signatory profile for your company.

A registered user will have to enter his Corporate Id, Used Id and password for accessing
the facility. He can view all the accounts across all ICICI Bank locations online and as
well effect fund transfers on real time basis within the Bank network. The fund transfers
are stored in your database at ICICI Bank and are available to you to integrate with your
MIS.

To avail the facility the corporate customer need to submit the duly filled CIB application
form. The form is available at all the ICICI Bank branches. He may also contact
corporatecare@icicibank.com for the application form. The application form needs to be
signed by authorised signatories of the company who have the power to operate the
account with the Bank. The application form can be directly mailed to : ICICI Bank Ltd.,
Cops, 1st Floor, 414, Empire Building, Senapati Bapat Marg, Mumbai 400 013. Board
resolution is needed only if you need to effect fund transfers through CIB.

ICICI Bank e-business offers you a simple, convenient and secure way to manage your
banking activities without leaving your desk using Corporate Internet Banking. Different
Products & Services offered by the Bank under Corporate Internet Banking (CIB) are as
under:
Transaction Banking

A suite of services spanning the entire transactional needs of corporates

Treasury Solutions

A range of treasury products from plain vanilla to complex solutions.

Investment Solution

This group is dedicated to assist clients to enable them to undertake proactive investment
management.

Capital Markets

A focused group catering to the banking needs of the investment community associated
with the stock market

Securities Management Services

An efficient management of securities, providing up-to-date transaction information and

cross-border investment.

International Banking Services

A complete range of correspondent banking services for banks and financial institutions
in the international arena.

Agri Business

An important sector in the Indian economy addressed by ICICI Bank.

Corporate & Structured Finance

A range of opportunities for large, mid-cap and emerging corporates through our
integrated banking products

Market Watch

• Daily Market Report

• Market Pulse
• Commodities Daily
• Market Strategy

The various modes of fund transfer available in CIB

CIC can manage their Supply-Chain network, effectively by using Corporate Internet
Banking online fund transfer mechanism of the Bank. They can effect fund transfer on a
real time basis across the bank locations. The product facilitates:

• One-to-one fund transfer between two linked accounts. In one-to-one fund

transfer the accounts are linked and the user selects the debit and credit account,
enter the amount and narration for fund transfer and effects the same
• Bulk fund transfers. In bulk fund transfers, you upload a flat file containing
payment/collection information. The format of the text file can be pre-defined and
the main contents of the file are account no., amount, currency code and narration
for the payment/collection. This is useful for effecting multiple
payments/collections at a single click. The Bank’s systems take care of processing
the entire file and once the file is processed you can integrate the processed file to
your ERP for auto reconciliation.
• The real life situation of user-wise limits and multilevel signatories can be
mapped in the net-based fund transfer module too. You can specify user-wise cap
for funds transfer and the number of approvals needed for each fund transfer. The
fund transfer will not take place unless the required number of signatories has
approved it
• With a Power of Attorney from your dealers, you can link the dealers’ accounts to
your account in order to have an online fund transfer, saving you time and money
involved with cheque collection systems. Alternatively, the dealer can credit your
account through this channel. Similarly, you could also effect vendor and other
payments online.

Limit on the amounts of funds that can be transferred through CIB

The corporate customer can specify a corporate level limits, user level limit and account
level limit. A fund transfer cap can be specified for each of the debit accounts in terms of
amount and you can also specify a limit on the amount of fund transfer that can be
effected by your authorised users. This is similar to cheque signing powers in the physical
world. Further, you can also specify limits in terms of number of transactions in a
day/week/month.

No. of approvers who can approve a fund transfer

The system supports multi-level approvals. The corporate customer can specify the
number of approvals needed for effecting a transaction. The transaction will not take
place unless it has been approved by the required number of authorised signatories

Effecting fund transfers through CIB to other Banks

The corporate customer can effect fund transfers to accounts at non-ICICI Bank’s located
at Ahmedabad, Bangalore, Chennai, Calcutta, Delhi, Hyderabad, Mumbai and Nagpur.
The inter bank fund transfers are routed through the RBI-EFT mechanism and the credit
is effected normally by the third working day. However fund transfers outside India
cannot be effected under CIB.

Request:

Corporate Internet Banking allows the client to make following requests online

• Registration for account statements by email either

daily/weekly/fortnightly/monthly basis
• Stop payment of cheque
• Cheque book replenishment
• Demand Draft/Payorder
• Opening of fixed deposit account
• Opening of Letter of credit

Security features of the product

No compromise has been done on the security front. All care has been taken that hacking
is not possible at the site. Precautions in terms of firewalls, data encryption, digital
certification are used so that no malicious or unauthenticated person is able to access your
account. Additional features such as digital signatures, etc can also be set up. Other
features include a safe password that only you will know, and even the Bank employees
will not have access to your password. There will be no memory caches allowed on the
navigator so that after you logout another person will not be able to access by pressing
the “Back” button on the navigator. Also there is a time out for the screens. If the screen
is not used for 5 minutes, it automatically logs you out from the site.

Benefits To the Customer

The company does not have to spend anything extra to avail this facility. All it requires is
Internet connectivity. The product enables the company to pro-actively manage its cash
flows, ease reconciliation efforts as all the MIS is available at the click of the mouse.

System integration the with Customer’s ERP

You can download the account statements either as a text file or as an excel file. The
Bank can help the customer in integrating the account statements and bulk payment files
with your ERP system. The Bank charges a nominal fee depending upon the nature of
work involved.

Presently in India, there is no real time online electronic connectivity between the various
Banks. This puts in a small constraint in terms of the banking relationship to the
constituents of the supply chain. Hence, it becomes important that the supplier, you and
the dealer have account at ICICI Bank. Only then the efficiency of the system can be used
to the fullest.
The dealer can credit the proceeds to the company's account from his login. In case the
dealer finds it difficult to do this, he can give a mandate to the company for debiting the
amount to his account. Similarly, the company can also credit the Vendors.

Banking Facilities to Customer’s Channel Partners

This can be arranged only by the customer calling at the branch of ICICI Bank. As India
does not have a proper legal framework regarding transactions through the Internet, we
will have to fallback on the Indian Contract Act. This is to safeguard both, the company
and the Bank. The channel partners will have to accept the offer from ICICI Bank and
also enter into relevant agreements. If overdraft facility is to the dealer, the dealer can
either operate the account on his own or can give a Power of Attorney or Letter of
Mandate to the company for operating the Overdraft account. In the latter situation the
dealer will have to also give a Mandate Letter/Indemnity to the Bank for linking the
Overdraft a/c with that of the Company's account.

How the Corporate Internet Customer (CIC) to access Corporate Internet Banking

With connection to the Internet, the CIC can login to Corporate Internet Banking with
their Corporate Id, User ID and Password via the following:

a. At www.icicibank.com, under Corporate Finance, click on "Click here for

Corporate Internet Banking Login", or
b. Go directly to http://ebusiness.icicibank.com/imarkets/login/cib/login.asp to login.
You can bookmark this URL by adding this to your browser favourites.

Module: 8 (Contd) - ICICI Bank – Corporate Internet Banking

Cash Management Services (CMS) (Page: 2 of 3)

ICICI Bank is a leading player in the field of Cash Management Services (CMS) market.
The Bank’s Cash Management Service is technology driven with a versatile software,
hardware and network support. Customised daily transaction reports and web-enabled
reports are offered regularly to our clients. CMS solutions are designed to be company-
specific allowing a corporate to efficiently manage its treasury. Cash management
products cover both collections and payments.

Collection Products

Local Cheque Collections

• One of the largest network spanning over 400 locations

• Courier pick-up can be provided
• Process flow can be structured to suit the company’s requirements
Upcountry Cheque Collections

• Coverage of over 1500 locations with tie-ups with correspondent banks

• Capability to process cheques drawn on any location in India.
• Assured credit given with funds pooled at any ICICI Bank location. Instrument
level tracking of instruments to ensure faster realization

Cash Collections

• Cash Collection from dealers and business associates on behalf of companies

• Cash pick-up facility in 28 locations
• Customised MIS for cash collection

Payment Products

Anywhere Banking

• Cheques issued payable at par at various ICICI Bank locations

• Single account to be operated at any ICICI Bank branch for this facility
• Ideal for small value, large volume payments

Fund Transfers

Online transfer of funds between accounts maintained with any branch of ICICI Bank

Issue of Bulk Demand Drafts/ Pay order

• Capability to issue Bulk Demand Drafts/Pay Orders on various ICICI Bank and
correspondent bank locations
• Capability to accept online requests from the customers
• Capability to print beneficiary advice and despatch
• Remote printing facility
• Simple process with a low turnaround time and delivery

Cheque Writing

• Cheques can be issued on behalf of companies

• Capability of processing large volumes of cheques in a short turnaround time
• Capability of printing facsimile signatures
• Capability to print beneficiary advice and despatch
• Ideal for bulk payments such as pension payments, gratuity payments

At Par Payments

• Services can be availed for the ‘at par’ payment of dividend warrants /interest
warrants/ refund order/redemption payments/brokerage payments
 • Simplified and streamlined procedures ensuring smooth process flow online
validation of instruments before payment
• Regular reconciliation statements provided by the bank
• Covering over 100 major locations through own network (90%of the payments)
Arrangement with correspondent banks thereby covering over 200 locations
through instruments based payments
• ECS credit facility at all available locations

Debt Online

Debt Online is a transaction platform that offers a transparent and paperless way of
investing in debt instruments in a secure environment.

Debt Online Features

• Live quotes from GOI-secs from entities within the ICICI Group
• Chat Facility to negotiate with the dealer and conclude deal by CIC
• Using the chat facility is similar to using the telephone, except that the chat is
done entirely over the internet
• The system allows CIC straight through processing using a CSGL account. This
ensures a smooth and automated

Settlement process.

Pre-transaction and post-transaction analytical tools available on the bank’s web site
allow the CIC to monitor their transactions at any tim

FX Online

FX Online is a real time foreign exchange trading system, which provides automated
quotes for FX spots & FX forwards.

FX Online Feature

• Competitive and transparent quotes from ICICI Bank treasury

• Transaction in a secure network
• Instantaneous deal confirmation
• User defined controls for currency, amount and transaction type.

Conclusion>

The descriptive narrative above in respect of both Retail Internet Banking covering
individual customers and Corporate Internet banking covering business customers
provide comprehensive products relating to banking service, that has enabled the bank to
tap over 65 percent of all Internet banking customers in India. This is remarkable feet for
a newly established bank without any carried forward goodwill.
It is particularly significant to mention that the Bank commenced Internet Banking in
1997 even before RBI issued guidelines for Internet Banking on 14th June 2001. These
guidelines are reproduced in Annexure 1. Earlier issued guidelines on Risks and Controls
in Computers and Telecommunications vide circular DBS.CO.ITC.BC. 10/ 31.09.001/
97-98 dated 4th February 1998 will equally apply to Internet banking. ICICI introduced
Internet Banking still earlier to the latter-mentioned guidelines. The excellence in
performance in duly recognised by Global Finance magazine, organizer of the World’s
Best Internet Bank Awards announcing in 2003 ICICI Bank as the ‘Best Consumer
Internet Bank in India’. In addition, it has been announced as the ‘Best-Integrated
Consumer Bank Site in the Asia /Pacific Region’.

Internet Banking in India - Guidelines Issued by RBI - (Page: 3 of 3)

Reserve Bank of India had set up a 'Working Group on Internet Banking' to examine
different aspects of Internet Banking (I-banking). The Group had focussed on three major
areas of I-banking, i.e.,

i. technology and security issues

ii. legal issues and
iii. regulatory and supervisory issues.

RBI has accepted the recommendations of the Group to be implemented in a phased

manner. Accordingly, the following guidelines are issued for implementation by banks.
Banks are also advised that they may be guided by the original report, for a detailed
guidance on different issues

Technology and Security Standards

a. Banks should designate a network and database administrator with clearly defined
roles as indicated in the Group's report.
b. Banks should have a security policy duly approved by the Board of Directors.
There should be a segregation of duty of Security Officer / Group dealing
exclusively with information systems security and Information Technology
Division which actually implements the computer systems. Further, Information
Systems Auditor will audit the information systems.
c. Banks should introduce logical access controls to data, systems, application
software, utilities, telecommunication lines, libraries, system software, etc.
Logical access control techniques may include user-ids, passwords, smart cards or
other biometric technologies.
d. At the minimum, banks should use the proxy server type of firewall so that there
is no direct connection between the Internet and the bank's system. It facilitates a
high level of control and in-depth monitoring using logging and auditing tools.
For sensitive systems, a stateful inspection firewall is recommended which
thoroughly inspects all packets of information, and past and present transactions
are compared. These generally include a real time security alert.
e. All the systems supporting dial up services through modem on the same LAN as
the application server should be isolated to prevent intrusions into the network as
this may bypass the proxy server.
f. PKI (Public Key Infrastructure) is the most favoured technology for secure
Internet banking services. However, as it is not yet commonly available, banks
should use the following alternative system during the transition, until the PKI is
put in place
g. Usage of SSL (Secured Socket Layer), which ensures server authentication and
use of client side certificates issued by the banks themselves using a Certificate
Server.
h. The use of at least 128-bit SSL for securing browser to web server
communications and, in addition, encryption of sensitive data like passwords in
transit within the enterprise itself.
i. It is also recommended that all unnecessary services on the application server
such as FTP (File Transfer Protocol), telnet should be disabled. The application
server should be isolated from the e-mail server.
j. All computer accesses, including messages received, should be logged. Security
violations (suspected or attempted) should be reported and follow up action taken
should be kept in mind while framing future policy. Banks should acquire tools
for monitoring systems and the networks against intrusions and attacks. These
tools should be used regularly to avoid security breaches. The banks should
review their security infrastructure and security policies regularly and optimize
them in the light of their own experiences and changing technologies. They
should educate their security personnel and also the end-users on a continuous
basis
k. The information security officer and the information system auditor should
undertake periodic penetration tests of the system, which should include:
1. Attempting to guess passwords using password-cracking tools.
2. Search for back door traps in the programs
3. Attempt to overload the system using DDoS (Distributed Denial of
Service) & DoS (Denial of Service) attacks.
4. Check if commonly known holes in the software, especially the browser
and the e-mail software exist.
5. The penetration testing may also be carried out by engaging outside
experts (often called 'Ethical Hackers')
l. Physical access controls should be strictly enforced. Physical security should
cover all the information systems and sites where they are housed, both against
internal and external threats.
m. Banks should have proper infrastructure and schedules for backing up data. The
backed-up data should be periodically tested to ensure recovery without loss of
transactions in a time frame as given out in the bank's security policy. Business
continuity should be ensured by setting up disaster recovery sites. These facilities
should also be tested periodically.
n. All applications of banks should have proper record keeping facilities for legal
purposes. It may be necessary to keep all received and sent messages both in
encrypted and decrypted form.
 o. Security infrastructure should be properly tested before using the systems and
applications for normal operations. Banks should upgrade the systems by
installing patches released by developers to remove bugs and loopholes, and
upgrade to newer versions, which give better security and control.

Legal Issues

a. Considering the legal position prevalent, there is an obligation on the part of

banks not only to establish the identity but also to make enquiries about integrity
and reputation of the prospective customer. Therefore even though request for
opening account can be accepted over Internet, accounts should be opened only
after proper introduction and physical verification of the identity of the customer.
b. From a legal perspective, security procedure adopted by banks for authenticating
users needs to be recognized by law as a substitute for signature. In India, the
Information Technology Act, 2000, in Section 3(2) provides for a particular
technology (viz., the asymmetric crypto system and hash function) as a means of
authenticating electronic record. Any other method used by banks for
authentication should be recognized as a source of legal risk.
c. Under the present regime there is an obligation on banks to maintain secrecy and
confidentiality of customers' accounts. In the Internet banking scenario, the risk of
banks not meeting the above obligation is high on account of several factors.
Despite all reasonable precautions, banks may be exposed to enhanced risk of
liability to customers on account of breach of secrecy, denial of service etc.,
because of hacking/ other technological failures. The banks should, therefore,
institute adequate risk control measures to manage such risks
d. In Internet banking scenario there is very little scope for the banks to act on stop-
payment instructions from the customers. Hence, banks should clearly notify to
the customers the timeframe and the circumstances in which any stop-payment
instructions could be accepted.
e. The Consumer Protection Act, 1986 defines the rights of consumers in India and
is applicable to banking services as well. Currently, the rights and liabilities of
customers availing of Internet banking services are being determined by bilateral
agreements between the banks and customers. Considering the banking practice
and rights enjoyed by customers in traditional banking, banks' liability to the
customers on account of unauthorized transfer through hacking, denial of service
on account of technological failure etc. needs to be assessed and banks providing
Internet banking should insure themselves against such risks. (Para 7.11.1)

Regulatory and Supervisory Issues

As recommended by the Group, the existing regulatory framework over banks will be
extended to Internet banking also. In this regard, it is advised that:

1. Only such banks which are licensed and supervised in India and have a physical
presence in India will be permitted to offer Internet banking products to residents
of India. Thus, both banks and virtual banks incorporated outside the country and
 having no physical presence in India will not, for the present, be permitted to offer
Internet banking services to Indian residents.
2. The products should be restricted to account holders only and should not be
offered in other jurisdictions.
3. The services should only include local currency products
4. The 'in-out' scenario where customers in cross border jurisdictions are offered
banking services by Indian banks (or branches of foreign banks in India) and the
'out-in' scenario where Indian residents are offered banking services by banks
operating in cross-border jurisdictions are generally not permitted and this
approach will apply to Internet banking also. The existing exceptions for limited
purposes under FEMA i.e. where resident Indians have been permitted to continue
to maintain their accounts with overseas banks etc., will, however, be permitted.
5. Overseas branches of Indian banks will be permitted to offer Internet banking
services to their overseas customers subject to their satisfying, in addition to the
host supervisor, the home supervisor.

Given the regulatory approach as above, banks are advised to follow the following
instructions:

a. All banks, who propose to offer transactional services on the Internet, should
obtain prior approval from RBI. Bank's application for such permission should
indicate its business plan, analysis of cost and benefit, operational arrangements
like technology adopted, business partners, third party service providers and
systems and control procedures the bank proposes to adopt for managing risks.
The bank should also submit a security policy covering recommendations made in
this circular and a certificate from an independent auditor that the minimum
requirements prescribed have been met. After the initial approval the banks will
be obliged to inform RBI any material changes in the services / products offered
by them
b. Banks will report to RBI every breach or failure of security systems and
procedure and the latter, at its discretion, may decide to commission special audit
/ inspection of such banks. (Para 8.4.3)
c. The guidelines issued by RBI on 'Risks and Controls in Computers and
Telecommunications' vide circular DBS.CO.ITC.BC. 10/ 31.09.001/ 97-98 dated
4thFebruary 1998 will equally apply to Internet banking. The RBI as supervisor
will cover the entire risks associated with electronic banking as a part of its
regular inspections of banks.
d. Banks should develop outsourcing guidelines to manage risks arising out of third
party service providers, such as, disruption in service, defective services and
personnel of service providers gaining intimate knowledge of banks' systems and
misutilizing the same, etc., effectively. (Para 8.4.7)
e. With the increasing popularity of e-commerce, it has become necessary to set up
'Inter-bank Payment Gateways' for settlement of such transactions. The protocol
for transactions between the customer, the bank and the portal and the framework
for setting up of payment gateways as recommended by the Group should be
adopted
 f. Only institutions who are members of the cheque clearing system in the country
will be permitted to participate in Inter-bank payment gateways for Internet
payment. Each gateway must nominate a bank as the clearing bank to settle all
transactions. Payments effected using credit cards, payments arising out of cross
border e-commerce transactions and all intra-bank payments (i.e., transactions
involving only one bank) should be excluded for settlement through an inter-bank
payment gateway.
g. Inter-bank payment gateways must have capabilities for both net and gross
settlement. All settlement should be intra-day and as far as possible, in real time
h. Connectivity between the gateway and the computer system of the member bank
should be achieved using a leased line network (not through Internet) with
appropriate data encryption standard. All transactions must be authenticated.
Once, the regulatory framework is in place, the transactions should be digitally
certified by any licensed certifying agency. SSL / 128 bit encryption must be used
as minimum level of security. Reserve Bank may get the security of the entire
infrastructure both at the payment gateway's end and the participating institutions'
end certified prior to making the facility available for customers use.
i. Bilateral contracts between the payee and payee's bank, the participating banks
and service provider and the banks themselves will form the legal basis for such
transactions. The rights and obligations of each party must be clearly defined and
should be valid in a court of law
j. Banks must make mandatory disclosures of risks, responsibilities and liabilities of
the customers in doing business through Internet through a disclosure template.
The banks should also provide their latest published financial results over the net.
k. Hyperlinks from banks' websites, often raise the issue of reputational risk. Such
links should not mislead the customers into believing that banks sponsor any
particular product or any business unrelated to banking. Hyperlinks from banks'
websites should be confined to only those portals with which they have a payment
arrangement or sites of their subsidiaries or principals. Hyperlinks to banks'
websites from other portals are normally meant for passing on information
relating to purchases made by banks' customers in the portal. Banks must follow
the minimum recommended security precautions while dealing with request
received from other websites, relating to customers' purchases. The Reserve Bank
of India have decided that the Group's recommendations as detailed in this
circulars should be adopted by all banks offering Internet banking services, with
immediate effect. Even though the recommendations have been made in the
context of Internet banking, these are applicable, in general, to all forms of
electronic banking and banks offering any form of electronic banking should
adopt the same to the extent relevant.

All banks offering Internet banking are advised to make a review of their systems in the
light of this circular and report to Reserve Bank the types of services offered, extent of
their compliance with the recommendations, deviations and their proposal indicating a
time frame for compliance. The first such report must reach us within one month from the
date of this circular. Banks not offering any kind of I-banking may submit a 'nil' report.
Banks who are already offering any kind of transactional service are advised to report, in
addition to those mentioned in paragraph above, their business models with projections of
cost / benefits etc. and seek our post-facto approval.