IT Book PDF

table of Contents
Part 1 Basic Computing Concepts 1
Part 2 Information Technology in banking sector 14
Part 3 Introduction to the Internet 76
Part 4 Introduction to Networking 96
Part 5 Technology Based distribution channels/Networks
in Financial Industry 120
Part 6 Emerging Technology Trends in Financial Sector 154
Part 7 IT Policy in Financial Institutions 177
Part 8 IT Vendor Services 191
Part 9 IT Security and Risk Mitigation 208

Part 10 IT Laws in Pakistan / Regulatory Framework 237
Basic Computing Concepts
Learning Outcome By the end of this chapter you should be able to：
■ Define a Computer
■ Define an operating system (OS) and describe its functions
■ List and describe OS types

■ Discuss application software and list a few examples of
the applications as used in banks
■ Discuss the concept of data communication
Introduction Computers are everywhere and are used in almost every aspect of
human lives. There are many different types of computers, ranging
from small systems integrated into toaster ovens to guidance systems
on satellites. However, perhaps the most common image associated
with computers is the PC, or Personal Computer.
The computer is one of the most powerful innovations in human

history. With the use of computers, people are suddenly able to
perform staggering amounts of computations at dazzling speeds.
Information can be "crunched", organized and displayed in the blink
of an eye. As technology continues to advance, the computer will no
doubt become even more pervasive — and in many cases, likely even
less recognizable.
Most people are familiar with what a computer is in a specific,

contemporary sense. Personal computers are found in most aspects
of daily life, and for some it is hard to even imagine a world without
them. But the term "computer〃 means more than simply the Macs
and PCs people are familiar with. A computer, at its most basic, is a
machine which can take instructions and perform computations based
on those instructions.
It is the ability to take instructions — often known as programs in the

parlance of computers — and execute them that distinguishes a
computer from a simple calculator. While both are able to make
computations, a calculator responds simply to immediate input. In
fact, many modern calculators are actually computers, with a number
of pre-installed programs to help aid in complex tasks.
More specifically, a computer is a programmable machine designed

to sequentially and automatically carry out a sequence of arithmetic
or logical operations. The particular sequence of operations can be
changed readily, allowing the computer to solve more than one kind
of problem.
Bask Computing Concepts

All general-purpose computers require the following hardware components：
■ Memory: Enables a computer to store, at least temporarily, data and programs.
■ Mass storage devices: Allows a computer to permanently retain large amounts of data.
Common mass storage devices include disk drives and tape drives.
■ Input devices： Usually a keyboard and mouse, the input device is the conduit through
which data and instructions enter a computer.
■ Output devices: A display screen, printer, or other devices that allow the user to see
what the computer has accomplished.
■ Central processing unit (CPU): The heart of the computer, this is the component that
actually executes instructions.
In addition to these components, many other supporting components make it possible for
the basic components to work together efficiently. For example, every computer requires a
bus (set of wires) that transmits data from one part of the computer to another.
Computers can be generally classified by size and power as follows, though there is
considerable overlap：
■ Personal computers: A small, single-user computer based on a microprocessor. A

personal computer is any general-purpose computer whose size, capabilities, and price
make it useful for individuals, and which is intended to be operated directly by an end-
user. In addition to the microprocessor, a personal computer has a keyboard for
entering data, a monitor for displaying information, and a storage device for saving
data.
■ Workstations: A workstation is a high-end microcomputer designed for technical or

scientific applications. Intended primarily to be used by one person at a time, they may
be connected to a local area network (LAN) and run multi-user operating systems.
Historically, workstations offered higher performance than desktop computers,
especially with respect to CPU and graphics, memory capacity and mult卜tasking
capability. They are optimized for the visualization and manipulation of different types
of complex data such as 3D mechanical design, engineering simulation, animation and
rendering of images, and mathematical plots.
■ Minicomputers: A multi-user computer capable of supporting from 10 to hundreds of

users simultaneously. A minicomputer is a class of multi-user computers that lies in the
middle range of the computing spectrum, in between the largest mult卜user systems
(mainframe computers) and the smallest single-user systems (microcomputers or
personal computers).
■ Mainframes: A powerful multi-user computer capable of supporting many hundreds or

thousands of users simultaneously. These are powerful computers used mainly by large
organizations for critical applications, typically bulk data processing such as census,
industry and consumer statistics, enterprise resource planning, and financial transaction
processing.
■ Supercomputers: An extremely fast computer that can perform hundreds of millions of
instructions per second. A supercomputer is a computer that is at the frontline of
current processing capacity, particularly speed of calculation. Supercomputers are used
for highly calculation-intensive tasks such as weather forecasting, dimate research,
molecular modeling, physical simulations (such as simulation of airplanes in wind
tunnels).
times more capable than the early machines, and occupy a fraction of the space. Simple
Information Technology in Financial Services | Reference Book 2

computers are small enough to fit into mobile devices, and can be powered by a small
battery.
Interactive devices of all sorts contain their own computers. Cellular telephones, GPS units,
portable organizers, ATM machines, gas pumps, and millions of other devices all make use
of computers to streamline their operations, and to offer features which would be
impossible without a computer.
A computer like this is often referred to as an embedded computer. An embedded

computer is differentiated from a personal computer because it is essentially static in its
function. While a personal computer, or some cellular telephones, or some personal
organizers are able to have new software installed, and make use of a wide range of
features, an embedded computer usually has only a few purposes, which are relatively fixed
once the computer is manufactured.
Computer Software The term "software" is a generic term, which is used to describe a group
of computer programs, procedures and documentation, which
perform some task on a computer system. Software is an ordered
sequence of instructions given for changing the state of the computer
hardware in a certain predefined sequence. Software also refers to
one or more computer programs and data held in the storage of the
computer. Software may be divided into two categories： Application
software and System software.
What is System System software is computer software that is designed to operate the
Software? computer hardware and to provide and maintain a
platform for running the application software. One of the most
important and widely used system software is the computer operating
systems by which parts of a computer are able to work together. This
system software performs tasks such as transferring data between
memory and disks or rendering the output onto the display device.
What is Application Application software (also called end-user programs) is computer

Software? software which is designed to help the user to perform
sifisgle or multiple related tasks. In other words, application software
is actualfy a subclass of computer software, which employs the
capabilities of a computer directly and thdroughly to a task which the
user wishes to perform. There are different types of application
software, including Enterprise Resource Planning software, accounting
software, Customer Relationship Management software, graphics
software, media players, word processors etc.
Off-the-shelf Application software: Commercial Off-the-shelf

application programs (or "COTS", as they are sometimes referred to)
are intended to be used "as is", without being significantly modified
or customized by programmers for a specific customer's needs. This
type of software allows users to perfoFm tasks such as word
processing, sending and recefving electronic mail', and analyzing
statistical data.
The cost of developing off-the-shelf software is spread over a larger

number of people, thus making it relatively cheaper as compared to
custom software which is onl贫 designed for one or just a small
number of people. However, off-the-shelf software is designed with
many users in mind and tteis may not exad% fulfill a user's needs.
Motivatiafts for using COTS components, include hopes for rerfttcion

of overall system development and costs (35： Goroponents can he
beught or licensed instead of bein§ developed from scratch) and
reduced Irag-term maintenance costs. In sjtftware develctpmeM, many
had consiteed COTS to be the "silver bullet"' (to reduce cosjr/tjiine)
during the 1?柳s, but COTS development came with many not-
sorobvtous tradeoffs —initial cost and development time can
definitely be recced, but often 破the expense of an increase in
software componentf-integration work amt. a dependency on third-
party component vendors'.

Customized Application software: These represent the second,
contrasting category of application software. These are programs
which have been written "from scratch" or else extensively modified to
perform a customized set of tasks for a specific customer based on
the premise that the user's need are specific and not generic. Custom
software can be developed by an in-house software development
group, or be commissioned from a software house or independent
software developer.
Some popular application software being used in banks include： word
processing, spreadsheet, database applications, accounting packages,
customer relationship management etc.
Operating Systems Operating system is the most important (system) program that runs on a
computer. Every general-purpose computer must have an operating
system to run other programs. All the computers that we use need an
operating system. It may be a large mainframe computer running
UNIX, a desktop PC running Windows XP, or a handheld computer
running Palm
OS. All these systems need an operating system to make sure all the
programs run smoothly. Operating systems perform basic tasks, such
as recognizing input from the keyboard, sending output to the display
screen, keeping track of files and directories on the disk, and
controlling peripheral devices such as disk drives and printers.
For large systems, the operating system has even greater
responsibilities and powers. It is like a traffic controller - making sure
that different programs and users running at the same time do not
collide with each other. The operating system is also responsible for
security, ensuring that unauthorized users do not access the system.
Functions of the Functions and services provided by operating systems are numerous. It is
Operating System difficult to present an exhaustive list of OS functions. However, most
operating systems perform the following important functions：
Provide Interface： All operating systems need to provide an interface

to communicate with the user. This could be a Command Line
Interface (CLI) or a Graphical User Interface (GUI). A command line
interface (CLI) is a mechanism for interacting with a computer
operating system or software by typing commands to perform specific
tasks. The text-only interface contrasts with the use of a mouse pointer
with a graphical user interface (GUI) to click on options, or menus on a
text user interface (TUI) to select options.
Process Management: Every program running on a computer,

whether it is in the background or the foreground, is a process.
Generally, only one process per CPU can run at one time. However,
multiple processes can run through multi-tasking which entails
switching processes very quickly. The operating system makes this
type of multi-tasking possible by switching processes. Additionally,
there are system processes and user processes. Not all processes are
of the same importance. Systems processes may be of higher priority
than user processes. There may be relative priority between system
processes. Operating systems assign and identify these priorities and
laBc ：:irtiputing Concepts

execute the processes accordingly to ensure efficient
operation.
Memory Management: Computer memory is arranged in a

hierarchical manner with the fastest registers first, followed by the
CPU cache, random access memory (RAM), and then disk storage. The
operating system's memory manager coordinates the use of these
various types of memory by tracking which one is available, which is
to be allocated or de-allocated and how to move data between them.
This activity, usually referred to as virtual memory management,
increases the amount of memory available for each process by
making the disk storage seem like main memory.
Input/output management: This involves co-ordination and

assignment of the different output and input devices while one or
more programs are being executed. In absence of this important OS
function, there may be clashes between users / running programs for
the same resources, resulting in degraded computer system
performance and even complete shutdown due to deadlocks caused
by programs competing for the same I/O resources.
File management: A file is a logical unit of storage that hides the

technicalities from the users, providing them with the facility of
creating, opening, transferring and deleting files. Operating systems
perform this very important function. All files can also be easily
changed and modified through the use of text editors or some other
file manipulation routines.
Establishment and enforcement of a priority system: Determines

and maintains the order in which jobs are to be executed in the
computer system. This feature ensures that the high priority tasks that
are important for efficient system performance receive priority and
are allocated computing resources (processor, memory space, etc.)
without waiting.
Interpretation of commands and instructions: The operating

system listens to, identifies and interprets the commands given by
users (through the keyboard) and by programs to ensure that the
needed resources to carry out the required operations are allocated.
Coordination and assignment of compilers, assemblers, utility

programs, and other software to the various users of the computer
system.
Establishes data security and integrity. Security is an issue that is

very important to all computer users. The security function of the
operating system is also very important to the programmers. The
system will often use an allow/disallow protocol when other systems
are trying to access resources on a computer. Still others will require
the use of a user name and password to keep the system secure.
Network Management: Although not a core operating system

function, network management has become essential in modern day
computing. Most current operating systems are capable of using the

TCP/IP networking protocols. This means that one system can appear
on a network of the other and share resources such as files, printers,
and scanners using either wired or wireless connections.

Operating systems are classified based on various parameters such as
the number of users that can simultaneously use the system, the
Classification of
number of processes (or tasks that the operating system can perform
Operating Systems
at a time) etc. Most current operating systems are multi-user, multi-
process systems.
Single-user： In a single-user operating system only one user can be

logged on to the computer at a given point in time. Windows XP and
Windows Vista are examples of single-user operating systems.
Multi-user： Allows two or more users to run programs at the same

time. Some operating systems permit hundreds or even thousands of
concurrent users. A multi-user operating system must make sure that
the requirements of the various users are balanced, and that each of
the programs they are using has sufficient and separate resources so
that a problem with one user doesn't affect the entire community of
users. Windows Server 2003 and Unix are examples of multi-user
operating systems.
Single-tasking: As the name implies, this operating system is designed

to manage the computer so that one user can effectively do one
thing at a time. The Palm OS for Palm handheld computers is a good
example of a modern single-user, single-task operating system.
Multi-tasking: Allows more than one program to run concurrently.

Multi-tasking operating systems are most commonly used on desktop
and laptop computers. Microsoft's Windows and Apple's Mac OS
platforms are both examples of operating systems that will let a
single user have several programs in operation at the same time. For
example, it's entirely possible for a Windows user to be writing a note
in a word processor while downloading a file from the Internet while
printing the text of an e-mail message. This is made possible either
by using multiple CPUs, or timesharing, or a mix of both.
Time-sharing： A time-sharing operating system uses different

algorithms to share the CPU time with more than one process. This
allows a computer with only one CPU to give the illusion that it is
running more than one program at the same time. By allowing a
large number of users to interact concurrently with a single computer,
time-sharing dramatically lowers the cost of providing computing
capability, makes it possible for individuals and organizations to use a
computer without owning one and promotes the interactive use of
computers and the development of new interactive applications.
Real time: Responds to input instantly. Real-time operating systems

(RTOS) are used to control machinery, scientific instruments and
industrial systems. A very important part of an RTOS is managing the
resources of the computer so that a particular operation executes in
precisely the same amount of time, every time it occurs. A key
characteristic of an RTOS is the level of its consistency concerning the
amount of time it takes to accept and complete an application's task.
General-purpose operating systems, such as DOS, Windows and UNIX,
are not rea卜time. As compared to general purpose operating
systems, a real-time OS is more frequently dedicated to a narrow set
of applications (or just a single application).

Data The distance over which data moves within a computer may vary from a
Communication few thousandths of an inch, as is the case within a single
1C chip, to as much as several feet along the backplane of the main circuit
board. Over such small distances, digital data may be transmitted over
simple copper conductors. Except for the fastest computers, circuit designers
are not very concerned about the shape of the conductor or the analog
characteristics of signal transmission.
Frequently, however, data must be sent beyond the local circuitry that
constitutes a computer. In many cases, the distances involved may be
enormous. Unfortunately, as the distance between the source of a message
and its destination increases, accurate transmission becomes increasingly
difficult. This results from the electrical distortion of signals traveling
through long conductors, and from noise added to the signal as it
propagates through a transmission medium. Although some precautions
must be taken for data exchange within a computer, the biggest problems
occur when data is transferred to devices outside the computer's circuitry. In
this case, distortion and noise can become so severe that information is lost.
Data communication concerns the transmission of digital messages to

devices external to the message source. "External" devices are generally
thought of as being independently powered circuitry that exists beyond the
chassis of a computer or other digital message source. As a rule, the
maximum permissible transmission rate of a message is directly proportional
to signal power, and inversely proportional to channel noise. It is the aim of
any communications system to provide the highest possible transmission
rate at the lowest possible power and with the least possible noise.
A computer network, often simply referred to as a network, is a collection of

computers and devices interconnected by communications channels that
facilitate communications among users and allows users to share resources.
Networks may be classified according to a wide variety of characteristics. A
computer network allows sharing of resources and information among
interconnected devices.
r f Channel I》(Receiver j》I Destination

Source > Transmitter > (
v---------- J LJ
Message Signal ▲ Perceived Message Signal
/ ------------
Noise
I

Communication The fundamental purpose of a communication system is the exchange of Model
data between two parties, e.g. the exchange of data between server and a
workstation over a public telephone line. Another example is the exchange
of voice signals between two telephones over the same network. The key
elements of a data communication model are as follows：
Source: This device generates the data to be transmitted. Examples are

telephones and personal computers.
Transmitter: This device transmits the data generated by the source device.
Usually, the data generated by a source system are not transmitted directly
in the form in which the data were generated. Rather, a transmitter
transforms and encodes the data in such a way that data can be
transmitted across a transmission. A modem is an example
Transmission media (Channel): This is the path the data follows to reach
the destination device. This can be a single transmission line or a complex
network connecting source and destination devices. Can be wired or
wireless, depending on the situation.
Receiver: The receiver accepts the signals from the transmission system and
converts it into a form that can be handled by the destination device. For
example, a modem will accept analog signals from the transmission line
(telephone network) and will convert it into a digital bit stream so that a
device such as a computer can handle it.
Destination: This device takes the incoming signals from the receiver and
presents them to a user or consumes them in any other useful manner.
Noise: Noise is the unwanted signal in the transmission that may cause the
original message to distort and become unreadable. Therefore, it is
important to filter the noise with improved channel construction and other
techniques, including the use of filters.
Data Network The benefits networking offers to its users can be separated into two main
Benefits groups, i.e. sharing and connectivity. Networks make computers
and their users capable of being connected together. This facilitates sharing
of resources and information between the users. Modern businesses have
expanded to become worldwide, and so the uses and significance of
networking have gained momentum over the last few years. The many
benefits that networking offers are：
Facilitating communications: Using a network, people can communicate

efficiently and easily via email, instant messaging, chat rooms, telephone,
video telephone calls, and video conferencing.
Sharing hardware: In a networked environment, each computer on a

network may access and use hardware resources on the network, such as
printing a document on a shared network printer.
Sharing files, data, and information: In a network environment,
authorized users may access data and information stored on other
computers on the network. The capability of providing access to data
and information on shared storage devices is an important feature of
many networks.
11
Sharing software: Users connected to a network may run application
programs on remote computers.
*
Improved security: Collection of data and software resources in a
central location enhances security. Security and data protection
policies can be implemented more effectively and at less cost and
using fewer resources.
Data A transmission or communication medium provides a physical entity for

Communication the conveyance of signals. Transmission medium is
the physical path Media between transmitter and receiver in a data
transmission system. Transmission media can be classified as guided
or unguided. In both cases, communication is in the form of
electromagnetic waves. With guided media, the waves are guided
along a solid medium, such as copper twisted pair, copper coaxial
cable, and optical fiber. This form of transmission is referred to as
wired transmission. The atmosphere and outer space are examples of
unguided media that provide a means of transmitting electromagnetic
signals but do not guide them； this form of transmission is usually
referred to as wireless transmission.
Wired technologies Twisted pair wire is the most widely used medium for
telecommunication. Twisted-pair cabling consist of copper wires that
are twisted into pairs. Ordinary telephone wires consist of two
insulated copper wires twisted into pairs. Computer networking
cabling consist of 4 pairs of copper cabling that can be utilized for
both voice and data transmission. The use of two wires twisted
together helps to reduce crosstalk and electromagnetic induction. The
transmission speed ranges from 2 million bits per second to 100
million bits per second. Twisted pair cabling comes in two forms
which are Unshielded Twisted Pair (UTP) and Shielded Twisted Pair
(STP) which are rated in categories and which are manufactured in
different increments for various scenarios.
Coaxial cable is widely used for cable television systems, office

buildings, and other work-sites for local area networks. The cables
consist of copper or aluminum wire wrapped with insulating layer
typically of a flexible material with a high dielectric constant, all of
which are surrounded by a conductive layer. The layers of insulation
help minimize interference and distortion. Transmission speed ranges
from 200 million to more than 500 million bits per second.
Optical fiber cable consists of one or more filaments of glass fiber

wrapped in protective layers. It transmits light which can travel over
extended distances. Fiber-optic cables are not affected by
electromagnetic radiation. Transmission speed may reach trillions of
bits per second. The transmission speed of fiber optics is hundreds of
times faster than for coaxial cables and thousands of times faster than
a twisted-pair wire.
Wireless Terrestrial microwave - Terrestrial microwaves use earth-based
technologies
transmitter and receiver. The equipment looks similar to satellite
dishes. Terrestrial microwaves use a low-gigahertz range, which limits
all communications to line-of-sight. The path between relay stations is
spaced approximately 30 miles apart. Microwave antennas are usually
placed on the top of buildings, towers, hills, and mountain peaks.
Communications satellites - Satellites use microwave radio as their

telecommunications medium as this is not deflected by the Earth's
atmosphere. The satellites are stationed in space, typically 22,000
miles (for geosynchronous satellites) above the equator. These Earth-
orbiting systems are capable of receiving and relaying voice, data, and
TV signals.
Wireless LANs - Wireless local area networks use a high-frequency

radio technology similar to digital cellular and a low-frequency radio
technology. Wireless LANs enable communication between multiple
devices in a limited area.
Infrared communication can transmit signals between devices within

small distances not more than 10 meters peer to peer (or face to
face) without any body in the line of transmitting.
Data In its simplest form, data communication takes place between two
Cocnm unication devices that are directly connected by some form of point-to-point
Networks transmission medium. Often, however, it is impractical for two devices
to be directly, point-to-point connected because of the following
reasons：
1. The devices are very far apart. It would be very expensive,

for example, to provide a dedicated link between two devices
thousands of miles apart.
2. There is a set of devices, each of which may require a link to many

other devices at various times. Examples are all of the telephones in
the world and all of the terminals and computers owned by an
organization. Except in the case of a very few devices, it is impractical
to provide a dedicated link between each pair of devices. The solution
to this problem is to attach each device to a communication network.
Communication networks are traditionally classified into the following
two major categories：
Local area networks (LAN): The scope of a local area network is

small. A local area network is a number of computers and other
devices connected to each other by cable in a single location, usually
a single floor of a building or all the computers in a small company.
The internal data rates (speed) of a local area are much greater than
those of wide area networks, Therefore local area networks are more
suitable for resource sharing between multiple computers.
Wide area networks (WAN): Wide area networks have traditionally

been considered to be those that cover a large geographical area. A
13
WAN consists of a number of interconnected switching devices, which
route data from a source device to a destination device.
Stated simply, wide area networks are the set of connecting links
between different local area networks geographically spread over
many countries and continents. These links are made over telephone
lines leased from various telephone companies. Wide area networks
can also be created with satellite links, packet radio or microwave
transceivers but these options are generally far more expensive than
leased telephone lines, although they can be used in areas where
leased lines are not available.
The speed offered by wide area networks is much slower than the
slowest local area networks. This makes the sharing of resources over
a wide area network difficult. Generally, wide area networks are used
for exchange of short messages such as e-mail or html traffic.

Part 2: Information Technology in
banking sector
IT Systems Overview
In this Part
Evolution of IT Systems in Banks
Desktop Systems
Communication Systems
Transaction Processing Systems
IT Systems that link Bank with other Banks
Card Processing Systems
Desktop Support systems / Customer services systems
MIS Applications
VeriSys
Credit Assessment Systems
Fraud/Risk Monitoring
Real Time Gross Settlement System (RTGS)

Treasury based market systems
PartTwo
Information Technology in banking
sector
Learning Outcome By the end of this chapter you should be able to：
■ List the popular banking packages and software being used
■ Discuss the key modules of banking packages and their

functionalities
_ Discuss the evolution of IT systems in banks over the past decade
■ List banking systems/technologies that have become obsolete
■ Explain the usage and functionality of the Word processing
■ Explain the usage and functionality of a Spreadsheet
■ Explain the usage and functionality of a Presentation software
■ Explain the usage and functionality of an e-mail
■ Define the term 'Voice-over-IP (VoIP)'
■ Explain the usage and functionality of the VoIP system
■ Discuss the concept and usage of "Video conferencing"
■ Discuss the concept and usage of "Groupware"
■ Discuss the concept and usage of "Instant Messaging"
■ Explain the concept behind transaction processing systems
■ Explain the purpose of the transaction processing system in a bank
■ Discuss the features of a core banking system
■ Explain the concept of IBFT and list the names of banks using IBFT
■ List the names of networks available in Pakistan for inter bank
operations
■ List the networks that link local banks with International financial
networks
■ Define briefly the working methodology of the networks that link

local banks with International financial networks
Define the concept behind the desktop support
systems/customer services system
Discuss briefly the working methodology of all request

capturing/complaint management systems
17
Define the concept of management information system as
applied in banks
Explain briefly the working methodology of Liability

management system, ERP and CRM
Describe briefly the working methodology of 'VeriSys'
State the concept of a credit assessment system
Describe briefly the role of eClB / credit bureau check systems

in loan approval process
State the concept and purpose of behavioral assessment or

application scoring system as used by banks
Explain the role and importance of a risk/fraud monitoring system
Recall the S8P regulation that applies to Fraud/Risk monitoring
Describe the functions of RTGS
Define the concept of a treasury based market system

IT Systems Overview
After the proliferation of technology in every sector, the situation in
financial sector is not too different. Over the years banks have
extensively explore IT and has taken advantage of its potential to the
fullest. As of now, banking operations without information and
technology support are unimaginable. To remain competitive, banks
must continuously innovate and invest in information technology. To
support banking and financial operations numerous off-the-shelf
packages and solutions are available to banks and financial
institutions. In some situations banks prefer to develop (in-house or
through outsourcing) their own banking packages/solutions to meet
their specific needs. Banking packages consists of different modules
each related and catering to a basic function of banking. These
modules include but not limited to Core banking, Treasury, Customer
relationship management (CRM), Credit, Loans etc.
Oracle Financial Services Software Limited (formerly called i-flex

Solutions Limited) is an IT solution provider to the banking industry.
Oracle Financial Services is majority owned by Oracle Corporation. It
claims to have more than 900 customers in over 135 countries.
A bank may select a suitable package out of the available solutions

while keeping following factors in mind：
■ Ease of use by end-users
■ Training requirements & costs involved
■ Alignment with business goals and objectives
■ Budget constraints
■ Compatibility with existing systems/hardware
■ Availability of consultants, skilled staff and support
■ Other political/social reasons

A non exhaustive list of core banking packages and their providers
is：
Provider
鼸.
1
_ー圖瞧 TEMENOS T24
1
Temenos Group
.-' . . . . . . " ' . . .
CSB
BankFusion Universal Banking
Misys
..1
Misys Equation Misys Midas Plus i-i
Natech
Misys
叙.
Misys

Package Provider
Finacle Infosys
CFT-Bank Center of Financial Technologies (CFT)
AlpineGate Financial Solutions AlpineGate / AlpineGate CoreBanking
Alnova Financial Solutions Accenture / Alnova
TCSBaNCS
Tata Consultancy Services (TCS)
Bankway Fidelity National Information Services
-て- Fidelity National Information Services (FIS)

★择^鐵每《■輪微士,擊奪喊if电禮ぞtSせ氣空--
!
ゾ'
Corebank
SAP Banking Services SAP AG
FLEXCUBE Oracle Financial Services Software
DIGIBANK Oracle Financial Services Software
Hoaan Computer Sciences Corporation
Insite Banking System Automated Systems, Inc.
SAB / SAMIC SAB
SFB / SCB UNISYS
Signature (software) Fiserv

縣舊癸•ぜ^淳^®'寥:4
TEMENOS T24 Temenos Group
CoreSoftt, SuVikas VSoft Corporation
While there are many popular banking packages and software being
used by banks in Pakistan and around the world (some mentioned
above), here we focus on TMENOS T24, a popular banking system
and look at some of its features and capabilities. Other banking
systems have near about similar core functionalities.
TEMENOS T24 is the most technically advanced banking system

available today. It pairs the most comprehensive and most powerfull
flexible business functionality with the most advanced and scalable
architecture. This gives it unprecedented power and opportunity to
meet the challenges of today and the opportunities of tomorrow.
T24 is built on open architecture, offers low cost of ownership and

uses established standards such as HTTP, XML and J2EE. The design
of T24 offers multiple application server support offering horizontal
scalability and supporting huge numbers of users with true non-stop
resilience. Probably the most innovative aspect of T24, however, is
that it totally eliminates the need to run End Of Day (EOD)
processing.
M
Dc~<ing sector
T24 is based on established industry standards as promoted by
T24 Technology independent bodies and not on the particular interpretation of these
standards by specific vendors. T24 is provided in C or Java. T24 runs
on：
_ Open hardware
■ Open database
■ Open J2EE application server
■ Open Ul through browser, HTML and XSLT
■ Open connectivity through XML and Web Services
■ Open C or Java language code
■ Open Java development environment
T24 also supports the full Microsoft stack and can support any size of
financial organization from the smallest to the largest. T24 achieves
its high scalability feature through an efficient and scalable
architecture based on multiple TEMENOS T24 servers. This means that
as volumes expand further, servers can easily be added improving
performance and also improving availability. T24 is claimed (by
TEMENOS) to be the world's only true 24 by 7 banking system. It
eliminates the need for traditional end of day processing, enabling
users and customers full access to the system at all times.
T24 permits the use of local programming to further extend the

functionality and flexibility of the system. Local programs are written
in Java and may be inserted in the T24 business logic at over 12,000
different exit points or APIs (application program interfaces). This
capability greatly extends the local flexibility of the system without
compromising the ability to upgrade to later versions of T24 when
required.
T24 provides a solid foundation for banks to manage customers,

processes, risks and monitor ongoing activities as well as specialized
line of business functionality, which provides the full range of banking
services such as：
Retail Banking
■ CRM
■ Cash transactions
■ Payments
■ Credit
■ Deposits etc.

Corporate Banking
■ Payments
■ Cash management
■ Commercial Lending and Syndicated Lending
■ Trade finance
■ Internet banking
Treasury Operations
■ FOREX
■ Money market
■ Securities and repos
■ FRAs and swaps
■ Futures and
options Front Office

ARC - Acquire Retain and Cross-sell provides the front office
capabilities for T24, based on its multi-channel architecture and
focusing on technologies which support client-facing staff in
delivering a differentiated customer experience, whilst also providing
a consistent level of service across different electronic distribution
channels.
■ ARC Branch - In the branch ARC offers specialized teller

functionality and device support including off-line processing to
ensure reliable customer service and access for branch staff to all
client information through a 'single customer view'.
■ ARC Internet - On the internet ARC provides the widest possible

access to banking functions across retail, corporate and private
banking, supported by a scalable and extremely secure internet
banking infrastructure.
■ ARC Mobile - On mobile devices ARC enables banks to offer a

combination of highly flexible banking and payments solutions on
the widest range of devices and in different channel modes,
including SMS, browser and downloadable applications.
■ ARC Call Centre - In the call centre ARC has an open architecture
which enables the single customer view to be combined with
third party interactive voice response (IVR) and computer
telephony integration (CTI) technologies.
■ ARC ATM - ARC provides a standard interface to enable the rapid

integration of third party ATM/POS switch technologies.
麵 banking sector 22
■ ARC CRM - ARC provides fully integrated support for identifying
opportunities and managing prospects, by combining a
combination of operational and analytical CRM with marketing
campaign management capabilities.
Following the popularity of Islamic banking, particularly in the Middle

Islamic Banking East and South East Asia, TEMENOS responded by creating a best-of-
breed Islamic banking system.
Designed for the Islamic banking sector, 'T24 for Islamic banking' is
both Sharia-compliant and commercially flexible enabling banks to
offer a competitive range of Islamic financial products.
Products support banks which operate solely on Islamic principles and

it also allows conventional banks to employ Islamic financial
techniques in their banking, for example by giving a profit-sharing
framework as an alternative to interest rate mechanism. T24 for Islamic
banking is well-suited to most Retail and Corporate banking
operations as a readily available solution.
Banks using T24 for Islamic banking benefit from adopting one core
system to cover all aspects of conventional and Islamic banking. This
ensures that a bank can maintain a tight control over its operational
costs and can remain focused on serving its customers in the most
appropriate and effective manner.
T24 for Islamic Banking functionality comprises：
■ Murabaha
■ Musharaka
■ Bei Bithaman Ajil
■ Ijara
■ Bei Salam
■ Istisnaa
■ Wakala
23 Information Technology in Financial Services | Reference Book 2

Evolution of IT Systems
in Banks
About 2.5 decades ago the concept of automation and
computerization was almost non-existent in Pakistani banks. The first
commercial bank to adopt technology as a policy was MCB (Muslim
commercial Bank) and launched numerous aggressive technology
projects including the Mnet before 1990.
Around 1996 United Bank Limited (UBL) in collaboration with other

banks including Allied Bank developed a comprehensive banking
package called Unibank. This package was adopted by many leading
banks and it received reasonable popularity.
Between 2001 and 2005 State Bank of Pakistan also aggressively

invested in computerization and started projects focusing on
increasing internal efficiency, external linkages with commercial banks
and Data warehousing. SBP's initiatives in this regard created
motivation and confidence in other commercial banks to reserve
budgets for computerization.
Prior to 2000 no commercial bank in Pakistan had an ERP installed.

Some foreign banks operating in Pakistan were exceptions as they
were using banking ERP suites but their primary servers were outside
Pakistan. Real activity in terms of automation in commercial banks
started after 2002 when commercial banks including small banks and
new startups also reserved huge budgets for computerization
including the development of modern IT infrastructure, expansion of
ATM networks and implementation of banking off-the-shelf
packages/solutions.
Desktop Systems
Word-processing Word processing is one of the earliest applications for the personal
computer in office productivity. Using a computer to create, edit, and
print documents. Of all computer applications, word processing is the
most common. Word processing need a computer, a special program
called a word processor and optionally a printer. A word processor
enables people to create a document, store it electronically on a disk,
display it on a screen, modify it by entering commands and characters
from the keyboard and/or mouse and print it via a printer.
In word processing electronic text can be moved around at will,

misspelled terms can be corrected throughout the document by
means of a single command, spelling and grammar checkers can
automatically alert the user to apparent errors of spelling, punctuation
and syntax. The document's format, layout and type fonts and sizes
can be changed repeatedly until a satisfactory design is achieved.
Since all editing ideally occurs on-screen, word processing can result
in decreased paper usage and simplified editing. When the final draft
is ready, the document can be printed out (in multiple copies if
necessary), sent as an e-mail attachment, shared on a computer
network, or simply stored as an electronic file.
Although early word processors used tag-based markup for document

formatting, most modern word processors take advantage of a
graphical user interface providing some form of what-you-see-is-
what-you-get (WYSIWYG) editing. Most are powerful systems
consisting of one or more programs that can produce any arbitrary
combination of images, graphics and text, the latter handled with
type-setting capability.
Microsoft Word is the most widely used word processing software.

Microsoft estimates that over 500,000,000 people use the Microsoft
Office suite, which includes Word. Many other word processing
applications exist or existed, including WordPerfect and WordStar.
Word processors vary considerably but all word processors support

the following basic features：
■ Insert text: Allows users to insert text anywhere in the document.
■ Delete text: Allows erasing characters, words, lines, or pages.
■ Cut and paste: Allows to remove (cut) a section of text from one
place in a document and insert (paste) it somewhere else.
_ Copy: Allows duplicating a section of text.
_ Page size and margins: Allows to define various page sizes and
margins and the word processor will automatically readjust the
text
23
so that it fits.
■ Search and replace: Allows directing the word processor to search

for a particular word or phrase. Can also direct the word
processor to replace one group of characters with another
everywhere that the first group appears.
■ Word wrap: The word processor automatically moves to the next

line at the end of current line and readjusts text if user changes
the margins.
_ Print: Allows sending a document to a printer to get hardcopy.
Word processors that support only these features (and maybe a few
others) are called text editors.
Most word processors, however, support additional features that

enable users to manipulate and format documents in more
sophisticated ways. These more advanced word processors are
sometimes called full-featured word processors. Full-featured word
processors usually support the following features：
■ File management: Many word processors contain file management

capabilities that allow users to create, delete, move, and search
for files.
■ Font specifications: Allows changing fonts within a document. For

example, users can specify bold, italics, and underlining etc. Most
word processors also let users change the font size.
■ Footnotes and cross-references: Automates the numbering and

placement of footnotes and enables easy cross-referencing other
sections of the document.
■ Graphics: Allows embedding illustrations and graphs into a

document. Some word processors let users create the illustrations
within the word processor, others let insertion of an illustration
produced by a different program.
■ Headers, footers, and page numbering: Allows specifying

customized headers and footers that the word processor will put
at the top and bottom of every page. The word processor
automatically keeps track of page numbers so that the correct
number appears on each page.
■ Layout： Allows specifying different margins within a single

document and to specify various methods for indenting
paragraphs.
■ Macros： A macro is a character or word that represents a series

of keystrokes. The keystrokes can represent text or commands.
The ability to define macros allows users to save a lot of time by
replacing common combinations of keystrokes.
■ Merges: Allows merging text from one file into another file. This
is particularly useful for generating many files that have the same
format but different data. Generating mailing labels is the classic
example of using merges.
27
■ Spell checker: A utility that allows checking of the spelling. It will
highlight any words that it does not recognize.
■ Tables of contents and indexes: Allows automatic creation of a

table of contents and index based on special codes that are
inserted in the document.
■ Thesaurus: A built-in thesaurus that allows users to search for

synonyms without leaving the word processor.
■ Windows: Allows editing of two or more documents at the same

time. Each document appears in a separate window. This is
particularly valuable when working on a large project that
consists of several different files.
■ WYSIWYG (what you see is what you get): With WYSIWYG, a

document appears on the display screen exactly as it will look
when printed.
Spread sheets The invention of electronic spreadsheets along with word processing
software and databases unquestionably was a major factor in
convincing people of the worth of microcomputers in the early years
of personal computers. Since that time, the constantly increasing
versatility and wider applications of spreadsheet software have made
it into a product that seems almost indispensable to business and
personal users. Spreadsheets are now a standard part of office suite
packages.
A spreadsheet is a computer application that simulates a paper

accounting worksheet. It displays multiple cells usually in a two-
dimensional matrix or grid consisting of rows and columns. Each cell
contains alphanumeric text, numeric values or formulas. A formula
defines how the content of that cell is to be calculated from the
contents of any other cell (or combination of cells) each time any cell
is updated. Spreadsheets are frequently used for financial information
because of their ability to re-calculate the entire sheet automatically
after a change to a single cell is made.
VisiCalc was the first electronic spreadsheet on a microcomputer and

it helped turn the Apple computer into a success and greatly assisted
in their widespread application. Lotus 1-2-3 was the leading
spreadsheet when DOS was the dominant operating system. Excel
now has the largest market share on the Windows and Macintosh
platforms.
When spreadsheet software first became available for computers in

the early 1980s, it was known as a "killer application" because people
began to buy computers just so they could work with spreadsheets.
Today, as already mentioned before, spreadsheet software is
practically a required
part of any collection of office software and it remains as useful now as it was in the
beginning. Some spreadsheet benefits are as follows：
1. Visual Design
Most people process data most easily when it is presented visually rather than
simply existing as a set of hypothetical numbers in the mind. Spreadsheets allows
to lay figures out on a grid, calculating and manipulating them visually. Often, this
may result in processing the information more quickly. On a spreadsheet errors or
omissions are noted easily than otherwise.
2. Automatic Calculations
Spreadsheet software gives the ability to enter mathematical formulas ranging from
simple arithmetic to complex statistics. This is done in a simple and intuitive
manner.
3. Dynamic Updates
In addition to the standard method of entering data in a spreadsheet
i. e typing numbers in cells, users can also create a cell with a value generated
dynamically based on other cells. Because the value displayed in the cell is based
on the values in other cells, the cell dynamically updates when user change any of
the referenced cells. This allows testing different scenarios by changing the cell
values.
4. Data Sorting
Spreadsheets come with a function that allows the user to re-group the data based
on a single column of information. For example if user wants to see all the
information sorted by annua! sales revenue (in a relevant column), then he can
initiate the sort function and the data is in the required format and ail of the
associated information stays intact as well.
5. Data Analysis
Spreadsheet software gives the ability to analyze data in ways other than simply
looking at grids and lines. Most spreadsheet software can automatically create
graphs and charts from data, giving different ways of comparing and analyzing
information. These visual representations can aiso be printed and emailed, or
exported into slide shows for presentations.
6. Warnings
Because of the complexity of how a spreadsheet works and the potential to
develop complicated and interrelated calculations, the potential for error increases
exponentially with the size of the spreadsheet. Audit controls are limited and often
what is possible in this area is under-utilized. All too often not enough planning
goes into the development of spreadsheets, particularly when designed for other
users. Because it is so easy to change values in the spreadsheet, easy mistakes
have unintended consequences.
Spreadsheet applications can appear somewhat intimidating to ne.oerienced users and

this overwhelming initial appearance can lead •isefs to use the applications for
unintended purposes. Users should
employ spreadsheet applications only for purposes of short-term data
compilation and analysis, not for the long-term data storage that
many users attempt. In addition, some uses of spreadsheets,
especially data sorting and sharing, are better handled in databases
because many users remain unfamiliar with spreadsheet limitations,
they may continue to ineffectively use spreadsheets for these basically
database functions.
29
Presentation Before computers were commonplace, presenters usually had an easel
software with posters or drawings to show any necessary graphics to the audience.
In some cases the speaker would have a slide projector with a
carousel of individual slides to show photographs on a screen.
Today, many software package suites contain a program designed to

accompany the speaker when he makes a presentation. The specific
presentation program in this suite of programs is mostly (but not
always) in the form of a slide show.
These presentation software programs make it simple and often fun

to create a presentation for the audience. They contain a text editor
to add written content, and abilities within the program to add charts
and graphic images such as photographs, clip art or other objects to
liven up the slide show and get the point across effectively.
Presentation software programs include -

_ PowerPoint (many versions) - the leader on the Windows platform
created by Microsoft corporation. PowerPoint can be bought
separately or is included in the Microsoft Office suite of
programs
■ OpenOffice.org Impress - created by Sun Microsystems Inc.

OpenOffice Impress (as it is more commonly known), is part of a
suite of programs offered as a free download. This suite also
contains a word processor, a spreadsheet program and a drawing
program.
■ Windows Movie Maker - a desktop video program, created by

Microsoft installed on every Windows computer. Windows Movie
Maker allows creating and editing movies to use to accompany
presentation, although users can also add still photos or graphics
and create a slide show, just as in PowerPoint and OpenOffice
Impress.
■ Keynote - created by Apple Computer is the leader in

presentation software on a Mac platform. It is part of a suite of
programs called iWork.
Users of Presentation Software:

Many people make use of presentation software to support them
when they have to give a presentation to others, for example：
■ Sales people often have to give presentations to customers,

clients of managers. They need to be able to present facts and
figures perhaps to let managers know the sales performances.
_ Most medium to large sized companies have a human resource department that
will be involved in training new employees or providing training schemes for
existing employees. Presentation software is regularly used as a training tool.
■ Teachers often use presentations so that students have a concise set of notes to
copy from the board.
■ Students are also regularly asked to create presentations about a topic they have
been studying. They may be asked to show their presentations to the rest of the
class.
■ Presentation software is regularly used during conferences. Speakers will project

their key points onto a large screen whilst they talk about the subject.
Presentation software is used to display information, normally in the form of a slide

show. It typically includes three major functions (as already stated above)：
1. A n Editor - Allows text to be inserted and formatted
2. Method for inserting and manipulating graphic images, or animations with these
objects
3. Slide show system (Slide Show Engine) to display the designed slide content
Sasic Presentation Software features are：

■ Insert Slide Feature： Allows insetting slide anywhere in the presentation.
■ Deletion of Inserted slides： Any slide of the presentation can be removed.
■ Allows cut and paste, move, copy slides in any order.
_ AJIows displaying the presentation designed in a slide show system. View Slide
Feature)
■ Mkms animations and/or sounds manipulations on objects in the side.
_ Simple Find and Replace, and text editor features.
■ :ニers different design/backgrounds/layouts to make presentations attractive.
麵 Matured Presentation software offers more features than mentioned iiiawe
_ font specifications - Allows to change and use different font "aces styles and
effects
■ Additional features for slide： footnotes, cross references, advanced navigation
system, headers, footers
* Good layout management system： Presets or customized layout designing
■ Macros - for add interactive features

■ Spell checkers and dictionary support
二 -
■ Automatic timings： Allows slides to advance according to preset timings
■ Allow hyperlinks to be ^created t& define the order of slides and

Other than Microsoft Power Point； Corel Presentations, ((Presenter, OpenOffice.org
impress are full-featured presentation software.
Communication Systems
Electronic mail is one of the most commonly used services on the
Internet allowing people to send messages to one or more recipients.
Email was invented by Ray Tomlinson in 1972. Prior to this, messages
could only be sent to users on a single machine. Tomlinson's
breakthrough was the ability to send messages to other machines on
the Internet, using the @ sign to designate the receiving machine.
Since then e-mail has established itself as one of the primary lines of
communication worldwide at personal and organizational levels. Email
access provides easy communication and responses that can be quickly
organized and filed away.
An e-mail message has always been nothing more than a simple text
message - a piece of text sent to a recipient. In the beginning and even
today, e-mail messages tend to be short pieces of text, although the
ability to add attachments now makes many messages quite long. Even
with attachments, however, e-mail messages continue to be text
messages.
Modern email operates across the Internet or other computer networks.

Some early email systems required that the author and the recipient
both be online at the same time, in common with instant messaging.
Today's email systems are based on a store-and-forward model. Email
servers accept, forward, deliver and store messages. Neither the users
nor their computers are required to be online simultaneously； they
need connect only briefly, typically to an email server, for as long as it
takes to send or receive messages.
An email message consists of three components, the message envelope,

the message header, and the message body. The message header
contains control information, including, minimally, an originator's email
address and one or more recipient addresses. Usually descriptive
■formation is also added, such as a subject header field and a message
suomission date/time stamp. The body consists of the main message
text. When email is being sent, the e-mail program connects to the
outgoing mail server, and tells it source e-mail address (the "Sender"),
and the address(es) of the recipient(s). This is called the envelope. Then
:sends the message. The envelope and the message arrive at the
recipient's mail server. Usually at this point the envelope is thrown away,
：nd the message is placed into the recipient's mailbox. Thus the
recipient jcijy gets the message and never gets to see the envelope.
To work with emails, some sort of e-mail client is needed. Many people
:se well-known, stand-alone clients like Microsoft Outlook or Outlook
Express. Some people subscribe to free e-mail services like Hotmail or
?ahoo and use an e-mail client that appears in a Web page. No matter
»;(nich type of client is being used, it generally does four things：

m

■ Shows a list of all of the messages in the mailbox by displaying the
message headers. The header shows who has sent the mail, the
subject of the mail, may also show the time and date of the
message and the message size.
_ Allows to select a message header and read the body of the e-mail
message.
■ Allows to create new messages and send them.

■ Allows to add attachments to messages sent and save the
attachments from messages received.
Sophisticated e-mail clients may have all sorts of features, but at the
core, this is all that an e-mail client does.
Features of email Almost instantaneous

Email messages are transferred almost instantly. They move as fast as
current in copper wires or light in optical cables. When an email
leaves sender's computer it arrives at the recipient's inbox almost
immediately. Consequently, two people can potentially have a
conversation over email.
Cost of sending an email is zero or negligible

For people and businesses who have 24 hours Internet (cable or
broadband), the cost of sending an email is zero or very small. For
dialup users, the maximum cost of sending an email will be that of a
phone call plus some fixed charges.
Emails can be sent in bulk

One email message can be sent to multiple recipients almost at the
cost of a single email. When compared to conventional postal service
this is indeed a huge saving.
Email attachments - any digital document can be sent over email

As long as a document can be converted into digital format, it can be
sent over email. Again, the cost and time aspects are important. In
addition to text documents photographs, music and audio files and
even video can be attached along with an email message. Though
many email services put a limit to the email attachment size or
number of files attached, there are workarounds like compressing and
zipping files to reduce their sizes.
Delivery is almost guaranteed

The delivery of email messages in almost guaranteed. However
sometimes for technical reasons that are beyond the scope of this
book, email can get lost in cyberspace but this is very rare.
Request return receipt

Just like with postal and courier services, sender can request a return
receipt which simply involves a click of a mouse button by the
recipient.
Email is accessible from anywhere

This is one of the greatest advantages of using email - its accessible
34
anywhere, anytime and through a multitude of devices - computers,
laptops, palmtops and even cell phones.
Built in spell checking

Most email programs (or email clients) have built in spell check
dictionaries.
Notification of new arrivals

Email programs or devices can also be set up to get a notification
through sound or a flash of light when new messages arrive in the
inbox.
Can be formal as well as informal

Email messages do not signify informality. Just because email is easy to
compose and send does not mean it cannot be used in formal and
official correspondences.
Email storage and management

Storing and managing emails is very easy. Segregating messages into
folders and organizing them properly is just like cleaning the desk and
filing work. Moreover, email storage does not consume space on
computer's hard disk.
Email security
The best way to secure email messages is to use the PGP (Pretty Good
Privacy) technology. However, most people are unaware of it. Pretty
Good Privacy (PGP) is a popular program used to encrypt and decrypt
e*mail over the Internet. It can also be used to send an encrypted digital
signature that lets the receiver verify the sender's identity and know that
the message was not changed en route. Available both as freeware and
:n a low-cost commercial version, PGP is the most widely used privacy-
ensuring program by individuals and is also used by many cocporations.
Developed by Philip R. Zimmermann in 1991, PGP has become a de
facto standard for e-mail security. PGP can also be used to encrypt files
being stored so that they are unreadable by other users or intnjders.
il creates more
work
___ tntrast to the popular notion, according to few, email actually creates
~we work. The ease of sending and receiving email has transformed
businesses throughout the world and some claim that the stress levels
~cve increased as reaction times have decreased.
People expect immediate replies

Most people know that emails are delivered instantaneously and hence
ioect replies immediately. In situations when quick reply is not received,
-ad feeling and suspicions may arise.
Most email messages are not secure

mentioned above, though a good secure technology exists for email
it 5 lardly used by masses. Hence transferring sensitive information over
n, such as credit card numbers or bank details is not advisable.

Telephony is a term denoting the technology that allows people to have
long distance voice communication. It comes from the word 'telephone'
which, in turn, is derived from the two Greek words 'tele' which means
Voice over Internet
far and 'phone' which means speak. The term's scope has been
Protocol (VoIP)
broadened with the advent of the different new communication
technologies. In its broadest sense, the terms encompasses phone
communication, Internet calling, mobile communication, faxing, voicemail
and even video conferencing.
The initial idea that telephony returns to is the POTS (plain old
telephone system), technically called the PSTN (public-switched
telephone network). This system is being fiercely challenged by and to a
great extent yielding to Voice over IP (VoIP) technology.
Voice over Internet Protocol (VoIP) is an emerging set of applications

which allows people to make telephone calls over the Internet. It is
already starting to replace existing telephone networks, with some
people and businesses opting to cancel their traditional phone line and
use VoIP instead. Other terms frequently encountered and often used
synonymously with VoIP are IP telephony, Internet telephony, voice over
broadband (VoBB), broadband telephony, and broadband phone. They all
refer to the channeling of voice calls and voice data through IP networks,
namely LANs and the Internet. This way, existing facilities and resources
that are already used for data transmission are harnessed, thereby
eliminating the cost of expensive line dedication as is the case with the
PSTN. The main advantage that VoIP brings to users is considerable cost
cutting.
VoIP was originally developed to provide voice communication between

computer users in different locations. Although it still has this
application, it has been further developed into a telephone network in its
own right. People using VoIP can call any telephone anywhere in the
world and can receive calls on telephone sets connected to the Internet
or Local Area Network (LAN).
The first step in using VoIP is converting voice into digital data. This is
done by 'sampling' the voice i.e. dividing the analog sound signal into
discrete steps that can be assigned a number value. Once the voice is
digitized, the data can be compressed.
This compressed digital data is split up into 'packets' of about 1500

bytes that can be transferred over the Internet. As well as the voice data,
the packets contain information about their origin, their destination and
a timestamp that allows them to be reconstructed in the correct order.
Once they arrive at their destination, they are reassembled and
converted from digital back into analog so that the receiving party can
hear the voice on their speakers.
In order for voice data to be transmitted without noticeable delays, a

broadband Internet connection is necessary.
VoIP has many advantages over a regular phone service. However, like
any emerging technology there are stil! a few issues to resolve in the
system. As standards are being developed it is becoming more reliable
and moving towards greater acceptability. It is inevitable that VoIP will
eventually replace traditional phone service - in fact, phone companies
are already taking advantage of the technology to offer cheaper long
distance rates.
In relation to VoIP a popular term used is softphone. A softphone is a

software program for making telephone calls over the Internet using a
general purpose computer, rather than using dedicated hardware. Often
a softphone is designed to behave like a traditional telephone,
sometimes appearing as an image of a phone, with a display panel and
buttons with which the user can interact. A softphone is usually used
with a headset connected to the sound card of the PC, or with a USB
phone. A USB phone looks like a traditional telephone, but it has a USB
connector instead of an RJ-11.It may be used with most softphones and
services like Skype, Net2Phone, MSN Messenger, NetMeeting etc.
Advantages
Low cost - One of the main advantages of VoIP is its low cost. If a fast
Internet connection (DSL or cable) is available, PC-to-PC phone calls can
be made anywhere in the world for free. In case of a PC-to-phone
connection, there's usually a charge but probably much cheaper than
the regular phone service.
Portability - Another advantage of VoIP is portability. Phone calls can

be made and received from anywhere where there is a broadband
connection available simply by signing into VoIP account. This makes
VoIP as convenient as e-mail.
Features - There are many other features that make VoIP attractive. Call
•wwarding, call waiting, voicemail, caller ID and three-way calling are
5ome of the many services included with Internet telephone at no extra
charge.
Disadvantages
Heeds Electric Power - During power-off durations a regular phone is
«.£pt in service by the current supplied through the phone line. This is
not :*:ssible with Internet phones, so when the power goes out, there is
no phone service. One solution to this problem is to use battery
backups power generators to provide electricity. This shortcoming is
being iOGressed in other more technical ways also.
Soand Quality And Reliability - Some VoIP services have problems with
sojrxi quality and reliability. Data sent across the Internet usually arrives
i' *-； destination in a scrambled order. This is not a problem for e-mail
or icc^ments because the data can be reassembled in the correct order
'：t has all arrived.
lace data can also arrive in a scrambled order but this is more of a
.こc«en because of the rea卜time nature of VoIP. In order to make voice
anrecSons with the least amount of delay, some packets may have to be
dropped if they don't arrive in time. This can cause short periods of
silence in the audio stream.
The amount of data that is lost depends on the distance and speed
of the connection. Some networks receive a lot of traffic and are
more likely to cause dropouts in the audio stream. Creating dedicated

data paths is one way to provide high quality audio connections.
Most of these disadvantages are being overcome as technology

changes and innovations continue. There is a tremendous amount of
work being done to increase the reliability and usefulness of VoIP.
Numerous VoIP business solutions are available for companies

especially for small to mid-size businesses. Business VoIP can be very
useful for a company that does business with other groups via the
telephone and Internet. For the company that makes many long
distance phone calls, especially calling overseas to different countries,
using the Internet can be a very good way to save money over using
the traditional telephone. This can also be a way to save money on
trips overseas to clients that can be contacted through the VoIP.
Internet calling can also simplify things for the company. Not only will
travel be much less necessary, it will be quicker to conduct operations
and easier to solve problems that may occur in business partners or
associates that are located in another country. There are many great
benefits that can be gained by seeking a VoIP business solution, but
it is important for the company to understand when Internet calling
will be feasible because this option can sometimes be more of an
expense than a benefit.
The choice to invest in VoIP will not always be successful for a

company. There are many firms that will be just as successful without
using a VoIP business solution. For the company that does very little
work or business overseas, business VoIP can be costly. Making an
international phone call from time to time does not merit the expense
of a system like Internet calling. Also, when trips and conferences are
not a frequent issue, the VoIP can be much more expensive than
necessary. The training needs associated with switching to Internet
calling can also be costly for a company.
VoIP Security There are number of security issues associated with VoIP. Eavesdropping
is a concern with both PSTN (Public Switched Telephone Network)
and VoIP calls, but there are also other concerns that are unique to
VoIP technology.
Since VoIP data is travelling through the Internet the same as any
other kind of data, it is vulnerable to the same kind of attacks and
threats. There are many software tools available to hackers who wish
to retrieve information that is being transmitted over the Internet and
these tools are just as effective with voice data as with any other kind
of data.
While this may not be a concern with social calls, it is a big concern
for businesses that may routinely use telephone communication for
discussing sensitive business information. Due to the increasing
popularity of VoIP, security is a big concern and is receiving a lot of
attention.
There are a number of points in the transmission of a VoIP call that a lacker can
retrieve information from. As well as retrieving actual :)nversations, hackers could also
get information like user identities and
• olP phone numbers. With this information, a hacker can make phone calls with
someone else's identity.
attackers could also record phone calls to listen to conversations and :'ossibly even to
restructure voice data to create conversations that never actually existed.
iji-other security threat is the possibility of sending viruses with VoIP data. Vmses
could potentially overload VoIP networks causing delays and "eduction in sound
quality.
*: !P is not invulnerable to spam either. In fact, there is already a name for t 一 SPIT -
Spam over Internet Telephony. This refers to receiving JTAanted marketing calls from
companies trying to sell services or
products.
There are a number of ways these security concerns can be addressed.
Tf»e first is with encryption that provides the same kind of security as •■~en sending
credit card information over a secure data connection. The is to separate VoIP data
from other Internet traffic by using a nmja.1 Local Area Network (VLAN). Both of these
methods can adversely af%ct call quality, but could be used optionally if the calls are
sensitive.
the individual consumer, VoIP security is mostly a matter of ife*enting others from
eavesdropping on conversations. Some VoIP device providers offer voice security
through the means of encryption or :e:arate data routes. Regular precautions for
transferring files always Teed to be followed. Any data or program that is downloaded
should be r*ec«:?d for viruses, and a firewall should be in place for protecting the
cnmputer from the Internet.
-erdware VoIP devices are more vulnerable to attacks. Some types of ぞ:u:Ti.ent can be
rendered unstable or don't even work if they receive types of data. Some Internet
phones are also susceptible to data Jim revealing private information under specific
conditions.
iusjnesses in particular need to be concerned about security issues sir：.jr.ding VoIP.

Since many businesses operate their own gateways and ■ntie* equipment for
connecting to the Internet, they are more susceptible _ me Denial of Service (DOS)
attacks or other kinds of malicious hacking.
TtoF s undergoing a constant evolution. VoIP products and users are on rise. Major
computer corporations such as Yahoo, Google, Microsoft, _S\ and AOL are
consistently adding VoIP capabilities to their lists of aincrs Now, most Instant
Messaging tools utilize some form of VoIP. Kec Wuild Dial Up and Skype still lead the
path into the VoIP future.

Video Conferencing Video conferencing may be defined as, Real-time exchange of audio &
video between two or more remote facilities/people/groups using hardware based
technologies (such as encoders, high definition cameras and monitors) and
telecommunication technologies (such as telephone, cable lines, satellite transmission,
etc.). Video conferencing represents a broad range of opportunities for training and
communicating in organizations large and small. The use of video conferencing
technology allows companies to connect with employees in many locations, domestic
and international for business reasons and offer information and education that can be
presented live and on-demand.
Video conferencing allows people from all over the world to meet together for social
or business reasons without having to travel to another place. It saves time and cost.
Company employees are more productive in that they do not have to leave home or
spend time traveling； businesses and organizations are efficient and cost effective as
video conferencing saves a company money, and meetings can be almost
instantaneous in planning and prep if necessary, as the technology is easy to use once
set up.
There are three types of video conferencing, one person using a computer, small
group based or large group and boardroom based. Each demands different
equipment. The one-on-one video conference uses a personal computer and a
webcam. The small and large room dedicated systems use more equipment, a high
quality video camera, microphones, monitors and an appropriate provider that gives
proper decompression and transmission of digital signals for the audio and video. The
cost is minimum to expensive depending on the system deployed.
The VC uses are virtually unlimited. Every field and profession potentially could use
video conferencing. Lawyers, doctors, welfare agencies, utility companies, banks,
professors and teachers, TV stations, the military and government all have used video
conferencing one way or the other. Technology is rapidly advancing, and costs are
expected to come down even more, making the use even more widespread. Video
conferencing eliminates the need for personnel to travel for meetings or training
purposes. Flying to away destinations and boarding at hotels is eliminated thus saving
both expense and travel money as well as reducing the company's carbon footprint.
There are many vendors and resources available for videoconferencing. Therefore,
businesses should make their decisions carefully and should ask vendors specific
questions to ensure they can meet the needs of the people and organization. Ask
about call reliability, quality of the audio/video, ease of use and how the system will
integrate with the existing software, technology and about future expansion and
support Also ask vendors for references to learn about specific experiences as well as
the pros and cons of using such technology from the people who have experienced
the vendor and technology.
Choosing between IP or ISDN?

Video conferencing has been improving as more efficient coding
techniques are introduced and high-definition life size systems become available.
-owever, getting it to work, particularly between companies, is still relatively hard.
Telephony has a standardized addressing system and universal nteroperability - any

phone can call any other on the telephone network. V'deo conferencing has not yet
reached this stage. Two types of •"ansmission networks are available and equipment
manufacturers often *nake sure that best results are only possible when working
between terminals made by the same vendor.
Historically, video conferencing systems used ISDN connections based on the H.320
standards. H.320 is a suite of protocols for running Multimedia '我udio/Video/Data)
over ISDN based networks specifying technical requirements for narrow-band visual
telephone systems and terminal equipment, typically for videoconferencing and
videophone services.
:
'SON have the following advantages：
■ available world-wide
■ unique numbering scheme already allocated by telephone network _ works well
between different companies
However, ISDN has significant limitations too, including
■ high cost of getting a circuit
■ high call costs, often time and distance-dependent

_ limited bandwidth of 64kbps per channel. Video often needs 3 or 6 ISDN channels,
increasing cost and complexity
For video conferencing within a company, using the corporate IP data network that
connects the computers together makes a good alternative aod this often connects
the company offices globally. Video conferencing IP networks using H.323 (designed
with focus on requirements for ~ultimedia communication over IP networks) has
some great advantages：
■ company-wide availability
■ low cost
■ no time and distance costs
■ i i g h bandwidth potential, capable of good pictures and sound

Disadvantages include：
■ few company networks permit connections to other companies

without the approval of both companies IT and security
departments at a very senior level
■ IP addresses change, so a gatekeeper is needed to locate

terminals even in point to point calls. (Gatekeeper is a
management tool for H.323 multimedia networks. Gatekeepers
are available as either hardware devices or software applications
from vendors like Cisco).

■ Video conferencing data rates can clog WAN links on branch
office sites
For communication between different parts of one company IP

networks are usually preferred. A gatekeeper is often used to allocate
terminal addresses so that they are fixed. For communication between
enterprises ISDN is a way of solving connectivity problems for
occasional calls.
If a lot of conferencing calls are expected then there are solutions to

connect IP calls, either via a third-party service provider or using
devices like session border controllers to route calls across corporate
networks via WAN links. It is possible to route calls between IP and
ISDN networks using devices called gateways, implementing this is
generally the job of IT professionals. Many conferencing terminals
offer both IP and ISDN connections and this is often the easiest
solution for users wanting to access both types of network.
Once the problems of getting a transmission path to the far end have
been sorted out there remains the issue of compatibility between
conferencing terminals. ISDN terminals using H.320 and IP terminals
using H.323 will usually get a connection with sound and vision,
though not always at the highest quality possible if the terminals are
from different vendors.
Groupware As the corporate workforce continues to expand beyond local and even
national boundaries, the need for more effective collaboration
becomes critical. In order to stay competitive, corporations need to
have access to talent everywhere without the restrictions
of'geographical boundaries. As global workgroups become more of a
reality, corporations need a way to stay connected. This is where the
use of groupware becomes a necessity.
The term groupware refers to software applications that are designed

to help geographically dispersed groups of people work together
towards one specific goal. Groupware typically utilizes computer-
networking capabilities to streamline communications and facilitate
the sharing of data among all group members. Groupware (also
referred to as workgroup productivity software or collaborative
software) is computer software designed to help people involved in a
common tasks achieve their goals. Common groupware applications
that are easily recognized by today's computer users include Lotus
Notes, email server systems such as FirstClass and Microsoft
Exchange, 24Seven Office, Livelink, and WorkspoL
Groupware programs consist of the following two basic features： r f data storage and
management functionality, and (2) communication enablement features. In other words,
groupware provides a centralized *ocation for data storage and synchronization, and
provides a means by ■wtiich groups can collaborate efficiently regarding the data. The
theory behind groupware software is that it helps people increase their productivity
through the collaboration and sharing of information.
Tlnefollowing are some of the key features that groupware programs :气er and the
benefits provided by them：
■ One centralized location for data storage - Groupware software is designed to

store and manage all data that is relevant to a project so that it is easily accessible
to all relevant parties. This means groupware users have the ability to post as well
as access documents easily in a central database location. The groupware
application then synchronizes the data through a versioning system so that the
most recent data is accessed first. Typically, groupware programs also track all
changes and who is responsible for the changes. In addition, groupware users have
the ability to search the database for relevant data with intuitive search capabilities
that are built into the software application.
■ Communication enablement - Groupware provides additional avenues of

communication to workgroups that would not be available otherwise. Instant
messaging, web conferencing, database access, document versioning, group
calendars, and task management are all examples of avenues of communication
that are provided through groupware. By providing the means that enable
communication, groupware improves collaboration and communication by making
it faster, clearer, and more efficient. In addition, miscommunication due to a lack of
relevant information or slow communication is eliminated.
■ Improves group problem solving capabilities -- Since groupware allows all

workgroup members to have access to the same pertinent data, decision-making
becomes proactive rather than reactive. With quick and easy access to the most
accurate information workgroups can always work from the same point of
reference. Efficiency is increased as less time is spent sifting through stacks of data,
and more time is spent on specific project tasks.
S:~e experts divide groupware into three categories： communication conferencing

tools, and collaborative management tools.
I： njnication tools include email, FAX and voice mail. Conferencing include data,
voice/video conferencing, message boards and chat .n Collaborative management tools
include electronic calendars, !o.ect management systems and workflow systems.
'"ttnef experts divide groupware into two categories related to time and '*<■: :ner
categories related to place. When employees are using an aK'iication at the same time,
it is synchronous groupware； workers using tie same application at different times,
however, are using asynchronous TOipAare. The place-related categories are collocated,
groupware that
43 Information Technology in Financial Services | Reference

is used by people in the same place; and distance, groupware that is used by people in
different places.
While the groupware categorization (above) may not be either the only or universally
accepted it still serves to organize groupware for better understanding.
Businesses use groupware for a variety of reasons. One primary reason is to bypass the
traditional problem of having employees in different places that need to work on the
same application. By logging in to a network or intranet server, employees in different
places can access the same application and benefit from the various perspectives and
opinions of others. This functionality is a primary aspect of telecommuting. If the
employee can log in to the company server from anywhere, then he doesn't need to be
in the office in order to access certain groupware.
Telecommuting can save on travel costs for both companies and employees. It can also
enable real-time communication when it would otherwise be impossible. This
communication can foster a greater understanding of the targets and goals of a
business's projects, through group discussion of each step along the way to achieving
those targets and goals.
Another use for groupware is group problem-solving. Many times, some employees see
things differently from other employees. If they are all working within the same
application framework, they can solve problems collectively, saving the company time
and money. Without groupware, such real-time cooperation would not be possible.
Instant Messaging Instant messaging (IM) is a form of communication between two or more
people based on typed text. The text is delivered via computers connected over a
network such as the Internet.
Instant messaging requires an instant messaging client that connects to an instant

messaging service. Instant messaging is different from e-mail in that conversations
happen in real-time.
Instant messaging services owe many ideas to an older and still popular online chat
medium named Internet Relay Chat (IRC). In early instant messaging programs, each
letter appeared when it was typed, and when letters were deleted to correct typos this
was also seen in real time. This made it more like a telephone conversation than
exchanging letters. _ modern instant messaging programs, the other party in the
conversatioa generally only sees each line of text either after a new line has started or
the sender presses the send/enter key.
Online instant messaging has become an effective communication t among friends

and coworkers. These programs provide the kind immediate feedback that is not
possible through email. It also alii participants a level of privacy that is not available
in chat rooms or Internet forums. Most users will develop a friends list from am
acquaintances who utilize the same program. Whenever an indivi accesses the
Internet, many of these programs will inform all of friends on the user's list that the
individual is online.
Benefits
nstant messaging offers rea卜time communication and allows easy collaboration, which
might be considered more close to genuine conversation than email's "letter" style. In
contrast to e-mail, the parties *novii whether the peer is available. Most systems allow
the user to set an x ine status or away message so others are notified when the user is
available, busy, or away from the computer. On the other hand, people are not forced
to reply immediately to incoming messages. For this eason, some people consider
communication via instant messaging to be ess intrusive than communication via
phone.
rstant messaging allows instantaneous communication between a number of parties

simultaneously, by transmitting information quickly smd efficiently, featuring immediate
receipt of acknowledgment or reply, r certain cases IM involves additional features,
which make it even more :oニ..jiar, i.e. to see the other party, e.g. by using web-cams, or
to talk 3irectty for free over the Internet.
ae>'ond simple text-based instant messages, most IM software now allow ears to share
files and photos, broadcast their thoughts to friends rr: jgh voice and video chat and
even battle buddies with online IM
games!
:oer benefits and features of IM include：

■ Emoticons are one of the best features that the instant messaging software
provides. These are visual and graphical expressions which take the form of human
faces in cartoon style. Many people today use these emoticons instead of
messages to show their feelings.
• Some of the instant messaging softwares have the option of making free calls to
any contact that is present in the list. These free calls are =/ailable only when both
the parties are online. This is because the ::ner person has to receive the call when
being called.
• Parallel chats i.e. one user can chat with many people at the same •说 Privacy is thus
maintained between separate IM sessions. Also :*>ere is an option for group chats.
This enables the user to send the 三3"ê message to all the persons in the group
at the same time. With ms. the user does not have to type the message again and
again.
_ In many cases, a user can customize the appearance of their IM :.rogram through
animations, scenes, and sounds that are widely ?»= able. Some programs even
allow users to share digital ：rotographs and images within the conversation
window.
advantages IM can bring to the workplace
**,ieb conferencing is infiltrating and revolutionizing the workplace,

ac：'i'err：!ng business cycles and helping to maintain close, collaborative psiTT rj ：ures-
IM allows users to effectively be in multiple places at the same zne. Users can take
action on routine items or check facts while €aifa:e: n a meeting. It has the power to
change the way people work.
Using Instant Messaging, the management and its recruitment agency are able to line
up additional resources within hours. Falling back on email and phone calls, the same
process could take days.
Skeptics of IM who say that people will abuse it by talking to each other all the time
should realize that this can easily happen on the phone, via email also.
The bottom line is that IM offers business value - with unified communication, direct
contact, improved collaboration and cost savings. It is a fast way to get co-workers
attention, rapidly resolve issues/questions and save on phone costs. IM is especially
useful for remote workers where building a community is essential in helping
employees to be more effective.
Advantages of Instant Messaging in the Enterprise
■ Rapid information dissemination
■ Faster, more immediate decision-making
■ The ability to be more responsive to customers

■ The ability to achieve more in meetings - and without busy managers needing to
attend each time
■ Motivating and including dispersed or home-based team members, improving

remote collaboration and individual and team productivity
Safety precautions
As with other Internet communication tools, there are some protective steps that users
should follow. Accepting downloads or opening unknown files via instant message can
be dangerous, particularly if the source off the file or download is not someone that
the users knows outside of the Internet realm. Frequently updating security software is
a must to remain completely protected against these viruses. The most updated version
of an online instant messaging program can give added protection as welL Utilizing
anti spyware may also be helpful.
Transaction Processing Systems
1
transaction processing system is a type of information system. TPSs
ニニ*led, store, modify and retrieve the transactions of an organization.
A Iraosaction is an event that generates or modifies data that is
eventually >cOced in an information system. To be considered a
transaction :rxessing system the computer must pass the ACID test.
ACID (atomicity, ::_"sistency, isolation, durability) is a set of properties
that guarantee that ransactions are processed reliably. A single logical
operation on the data s alied a transaction. For example, a transfer of
funds from one bank acaxint to another, even though that might
involve multiple changes 'sodi as debiting one account and crediting
another), is a single uansaction.
-ve
essence of a transaction program is that it manages data that
must be er m a consistent state, e.g. if an electronic payment is
made, the a~cunt must be both withdrawn from one account and
added to the icr»er.: it cannot complete only one of the two steps.
Either both must :c:jr or neither. In case of a failure preventing
transaction completion, tie partially executed transaction must be
'rolled back' by the TPS. While tns rype of integrity must be provided
also for batch transaction irxessing, it is particularly important for
online processing.
res of Transaction Processing Systems
—ccess of commercial enterprises depends on the reliable

processing ir r=nsactions to ensure that customer requirements are
met on time, ■»«r nat partners and suppliers are paid and can make
payment. The field ir r=Tsaction processing, therefore, has become a
vital part of effective nisiraess management, led by such organizations
as the Association for 'ifcri Process Improvement and the Transaction
Processing Performance fmmcL
Inaction processing systems offer enterprises the means to rapidly

JPicess transactions to ensure the smooth flow of data and the
jm«jes5ion of processes throughout the enterprise. Typically, a TPS
will eanirc following characteristics：
■apwd Processing
He iap*d processing of transactions is vital to the success of any
.srae-:丨「i? - now more than ever, in the face of advancing technology
and demand for immediate action. TPS systems are designed to
transactions virtually instantly to ensure that customer data is anaiacic
to the processes that require it.
sisre'Tis must be designed to ensure that not only do

transactions >i:p past the net, but that the systems themselves
remain .:mal permanently. TPS systems are therefore designed
to
incorporate comprehensive safeguards and disaster recovery
systems. These measures keep the failure rate well within tolerance
levels.
Standardization
Transactions must be processed in the same way each time to
maximize efficiency. To ensure this, TPS interfaces are designed to
acquire identical data for each transaction, regardless of the
customer.
Controlled Access
Since TPS systems can be such a powerful business tool, access
must restricted to only those employees who require their use.
Restricts access to the system ensures that employees who lack the
skills, abili and authority to use them cannot influence the
transaction process.
Real Time Processing

In many circumstances the primary factor is speed. For example,
when bank customer withdraws a sum of money from his or her
account it' vital that the transaction be processed and the account
balance updat as soon as possible, allowing both the bank and
customer to keep track funds.
Multi-Currency Operations
With the global nature of businesses and organizations these days it
necessary that banks offer facilities of carrying out variety of
transacti in different world currencies. The same requirement must
be fulfilled ■ the banking package used.
Other features that core banking systems must offer are onli

transaction processing, online access to customers for carrying
banking activities (Internet, phone etc).
Core banking Core Banking is normally defined as the business conducted by a banf
• institution with its retail and small business customers. Many
banks tr the retail customers as their core banking customers and
have a sepa line of business to manage small businesses. Larger
businesses managed via the corporate banking division of the
institution, banking basically is depositing and lending of money.
Nowadays, most banks use core banking applications to support

operations where CORE stands for "centralized online real-i
exchange". This basically means that all the bank's branches ac
applications from centralized datacenters. This means that the de
made are reflected immediately on the bank's servers and the
cust can withdraw the deposited money from any of the bank's
bra throughout the world.
A few decades ago it used to take at least a day for a transaction to

re in the account because each branch had their local servers and
the from the server in each branch was sent in a batch to the
servers in datacenter only at the end of the day (EoD). '•
Normal core banking functions will include deposit accounts, I

mortgages and payments. Banks make these services available across multiple channels
like ATMs, Internet banking, phone banking and physical branches.
Core banking solutions
Core banking solutions are banking applications on a platform enabling a phased,

strategic approach that is intended to allow banks to improve operations, reduce costs
and be prepared for growth. Implementing a modular, component-based enterprise
solution facilitates integration with a bank's existing technologies. An overall service-
oriented-architecture (SOA) helps banks reduce the risk that can result from manual data
entry and out-of-date information, increases management information and review and
avoids the potential disruption to business caused by replacing entire systems.
Core banking solutions is relatively a new terminology frequently used in banking circles.
The advancement in technology, especially Internet and information technology has led
to new ways of doing business in banking. These technologies have cut down time,
working simultaneously on different issues and increasing efficiency. The platform where
communication technology and information technology are merged to suit core needs
of banking is known as core banking solutions. Here, computer software is developed to
perform core operations of banking like recording of transactions, passbook
maintenance, interest calculations on loans and deposits, customer records, balance of
payments and withdrawals. This software is installed at different branches of bank and
then interconnected by means of communication lines like telephones, satellite, internet
etc. It allows the user (customers) to operate accounts from any branch if it has installed
core banking solutions. This new platform has changed the way banks are working.
Gartner defines a core banking system as a back-end system that processes daily
banking transactions and posts updates to accounts and other financial records. Core
banking systems typically include deposit, loan and credit-processing capabilities, with
interfaces to general ledger systems and reporting tools. Features of a core banking
system include：
_ Single Window Operation
■ Secured & Authorized Signature Operations.
■ User Configurable Trial Balance and P & L Account with multiple formats.
■ Max. Operations & information on Hot keys.
' ■ Daily Receivable, Payable.
■ User level based security.

Data Export Facility.
■ Strong system for Bills (OBC, IBC, Bank Guarantee and Pay Orders) are available.
■ Normalized data structure for consistent and quick access.
_ Online Snapshot backup after specified time interval.
■ Remote Transactions through modem of media are available

■ A/c. Opening documents received/pending message while transactions on A/c.
■ User-wise Reminder Setting

■ Officer-wise passing levels, Overdraft limits.
■ While transacting a Loan account status regarding Overdue/Overdraft, Insurance due,
Renewal, Stock Statement wHI automatically appears on the screen.
■ Connectivity Interfaces for pigmy Terminals, ATM IVRS, Touch Screens is built-in.
■ Clearance of Outward Clearing Cheques based on Fate Dalay and Branch weekly off.
Information Technology in Financial Services | Referencel

IT Systems that link Bank with
other Banks
Modern financial institutions have cashed in on the electronic
business opportunities of the Internet by developing numerous
payment systems to meet various payment service requirements.
Advanced computer systems and telecommunications technology are
being used to offer fast, convenient, and secure ways to conduct
financial transactions at service and security levels that are hardly or
never achieved by traditional payment systems.
Inter-bank EFT uses on-line transactions carried out on private

networks to transfer funds； the bank plays the role of both payer
and payee. Such transfers occur between a bank and its customers, or
a bank and another bank. In contrast to a check payment, which
requires several actual cryptographic processing days and manual
efforts like signature verification, check sorting, and information
capture, EFTs are same-day, almost instantaneous payments. Figure
illustrates one possible method used for such transfers to conduct
payments.
Commercial Clearing Commercial

*1 Customer
Bank A House Bank B B>
to
Settleme B's
Credit A/C
transfer nt
positions
As shown in the figure, customer A uses commercial bank A to remit

a 』xed amount of money to customer B banking with commercial
bank B. After receiving the remittance amount plus any fees,
commercial bank A sends an electronic credit transfer message to
commercial bank B through a clearing house. According to the credit
instruction, commercial bank B credits the remittance amount to
customer B's. After a fixed accounting period, the computer system at
the clearing house will calculate the
Technology in banking sector

settlement positions for participating banks and send them to the
central bank via telecommunication channels. The system at the
central bank will use the accounts held by commercial banks to
perform debit/credit operations for clearing the difference of transfer
amount among banks, thus completing the funds flow of remittance
process. EFTs can achieve immediate payment across two remote
sites by the telecommunication facility under some credit line
arrangement, but there must be some way to ensure the security of
the remittance. Such protection should prevent the revelation of the
information as well as illegal modification of it, by both external
attackers and internal betrayers.
The prominent networks available in Pakistan for interbank operations

are Society for Worldwide Interbank Financial Telecommunication
(SWIFT), Real Time Gross Settlement System (RTGS), 1LINK and Mnet.
A couple of them are discussed below.
Society for Worldwide Interbank Financial Telecommunication

SWIFT
The Society for Worldwide Interbank Financial Telecommunication

(SWIF operates a worldwide financial messaging network which
exchan^ messages between banks and other financial institutions.
SWIFT markets software and services to financial institutions.
The majority of international interbank messages use the SWIFT

netwc As of September 2010, SWIFT linked more than 9,000 financial
institut in 209 countries and territories, which were exchanging an
average ■丨 over 15 million messages per day. SWIFT transports
financial messages i a highly secure way, but does not hold accounts
for its members and < not perform any form of clearing or
settlement.
SWIFT has become the industry standard for syntax in financial mess
Messages formatted to SWIFT standards can be read by, and
processed I many well known financial processing systems.
SWIFT does not facilitate funds transfer, rather, it sends payment ord
which must be settled via correspondent accounts that the institi
have with each other. Each financial institution, to exchange bar
transactions, must have a banking relationship by either being a
affiliating itself with one (or more) so as to enjoy those particular bus
features.
The SWIFT secure messaging network is run out of three redundant i

centers, in the United States, Netherlands and Switzerland. These cc
share information in near real-time. In case of a failure in one of the<
centers, the other is able to handle the traffic of the complete net
1LINK
1LINK (Guarantee) Limited is a consortium of major banks that ov

operate the largest representative shared financial services net
Pakistan with a combined strength of over 2200+ online ATMs im|
cities and towns across the country.1 LINK started its journey way I

1997 when two banks took initiative of forming shared switch and it has come a long way
since then.
The synergy of financial institutions working together for a common goal has steadily
increased the strength and services of 1LINK (Guarantee) Limited. Over the years 1LINK has
become a widely acknowledged brand with an increasing number of members, serving as
a catalyst for the development of e-Banking in the country.
The network is continuously expanding as more member banks are engaged in the
deployments of ATMs. 1LINK Shared ATM network provides round-the-clock access of
ATMs and wide range of products and services to member banks customers. The number
of banks connected to the network has grown from twelve in 2003 to twenty-two in 2006
and more than thirty in 2010.
The State Bank of Pakistan has mandated that all commercial banks in Pakistan, both
foreign and domestic become members of one or the other switch. Additionally, the two
switches have been interconnected since 2006, which means that a consumer holding an
ATM or debit card issued by any bank in Pakistan may use any ATM located throughout
the country
In June 2011 PTCL and 1 Link entered into an agreement under which PTCL will offer 1Link
with a bouquet of its services. These services offer secure, reliable and integrated end to
end connectivity solutions to cater 1 LINK'S requirements. As a result of this arrangement,
the services and service quality of 1Link is expected to enhance.
Card Processing Systems
Credit card transactions are extremely common, popular and

preferred these days owing to their convenience, speed and security.
Hundreds of businesses, merchants and ATMs accept credit cards and
other cards of the family for credit transactions and cash advances.
When a customer presents a card at the POS terminal or checkout
counter, verification and authorizations is required. International
networks connect card readers at the point of sale locations with the
issuing organizations. Two such networks are the VISA and
MasterCard networks.
VISA'S VisaNET
Visa is a global payments technology company that connects

consumers, businesses, banks and governments in more than 200
countries and territories, enabling them to use digital currency instead
of cash and checks. Visa does not issue cards, extend credit or set
rates and fees far] consumers. Visa's innovations, however, enable its
bank customers offer consumers more choices： Pay now with debit,
ahead of time prepaid or later with credit products.
Visa has built one of the world's most advanced processing

networks, capable of handling more than 20,000 transactions per
second, reliability, convenience and security, including fraud
protection consumers and guaranteed payment for merchants.
Visa operates VisaNet, the world's largest retail electronic payr

processing network, handling an average of 130 million transac every
day. In total, more than $5.4 trillion in global consumer spend!
_1丨liieouoogy in banking sector
transacted on Visa-branded payment products annually. Underlying i
products is a robust set of processing services that are powered
VisaNet — including core transaction processing, risk management
information-based services. These services can be tailored to indr
countries or regions and serve the needs of financial institi
governments, businesses, merchants and consumers around the
Every day, VisaNet connects up to 1.87 billion cards, millions
acceptance locations,1.8 million ATMs and 15,500 financial institi
VisaNefs centralized processing architecture is a competitive adva for

Visa and has been a catalyst for the global migration from cash.;
checks to electronic forms of payment. The network's flexibility Visa
to meet the growing demand for electronic payments around I
world by connecting new acceptance locations and extending the i
Visa's products and services to even the most remote.
At the heart of VisaNet are three state-of-the art synchronized

centers on two continents, linked by 1.2 million miles of fiber-optic I
This highly redundant architecture ensures VisaNet is：

謹 Fast — On average, transactions are processed in less than a single
second, providing merchants and financial institutions with
immediate business-critical risk information, while offering a
superior account holder experience.
■ Secure - VisaNet employs multiple defense layers to prevent

breaches, combat fraud and render compromised card data
unusable. These defense layers include data encryption, network
intrusion detection and neural network technologies.
■ Reliable - VisaNefs multiple redundant systems ensure near-100

percent availability. Self-correcting network can detect problems
in an instant and automatically trigger resolution processes.
■ Flexible - Visa's processing systems are designed for maximum

flexibility. VisaNet supports an unmatched line up of payment,
payment-related, risk management and information products and
services.
■ Scalable - On Visa's busiest single day last year, VisaNet processed

more than 200 million authorization transactions. Annual VisaNet
stress tests show a network capable of processing hundreds of
millions of transactions per day.
MasterCard、Worldwide Network
MasterCard's Worldwide Network is the second most important and

popular card processing network/system. MasterCard claim's to have
wired the world for commerce through the MasterCard Worldwide
Network that connects financial institutions, merchants and
cardholders with payment processing services that offer payment
experience that is：
■ Consistent, knowing payments will be accepted and guaranteed

virtually anywhere in the world.
■ Reliable, knowing payments will be managed quickly, seamlessly

and accurately.
■ Secure, knowing payment data is protected under the strictest

compliance guidelines.
■ Valuable, knowing unique value-added payment programs are

available and tailored to spending needs.
As an industry's major player for more than 40 years, MasterCard has

realized how integral the payment processing network is to the
financial institutions' and merchants' ability to balance cost control
and revenue growth in their business. Consequently, MasterCard in
the recent past has continuously invested in the MasterCard
Worldwide Network to make it an integrated, intelligent and
innovative payment network in the industry.
Desktop Support systems /

Customer services systems
By talking back when they believe they have not received their
mon worth, customers give businesses an opportunity to correct
immediate problem and restore goodwill. Experiences have shown
sn banking sector 54
customers who complain about products and services continue
utili the same services and buying products they have complained
about they believe their complaint was resolved fairly.
Research into complaint behavior reveals that only a fraction

dissatisfied consumers actually complain formally to business
thereby, gives the company an opportunity to correct the
problem, is evidence that some consumers do not complain
because they skeptical about organization's willingness or ability
to resolve dis fairly. Such customers simply withdraw their
patronage and criticize company or the product to others.
Such findings underscore the importance to businesses of com

management system that is well-publicized and easily accessible,
unregistered complaint may do as much harm as one that is
misma or not resolved.
Careful complaint management can save business unwanted costs,

example, negative word-of-mouth publicity from dissatisfied consm:
means lost revenue and necessitates additional investment in adve
"I" to attract replacement customers.
Complaints and complaint trends tell businesses how to do theii

better by alerting management to problems that need prompt
attニ：_ and correction. Furthermore, they indicate long-range
opportunities product innovation and problem prevention.
To get valuable feedback and attention to issues, complaint-re

must generate information swiftly and systematically to the
appr managers or departments. Initial screening should trigger
imi action, when necessary, and statistical summaries should
identify and long-range courses of action.
Within the banking industry, 'complaints management' has bee

integral part of operations, both from a regulatory perspective
customer service standpoint. Complaints management is just
initiative under a larger strategy called customer ex] management
(CEM). By listening to customers, banks and organizations can
develop service standards and delivery proce meet these standards.
In a transaction driven business such as ! this represents a difficult
task and objectives cannot be achieved a technology-based
solution.
These days all banks have formal complaints-handling practices and
automated systems in place. They encourage customers to deal with
their local branch, or the business unit in which the problem
originated or use computerized systems that may be web-based. The
bank's goal is to resolve these complaints at the bank's level. When
this is unsuccessful, however, other options exist. Consequently, the
complaints management process also has a regulatory component. As
over the years, a number of government and industry organizations
have been created to help customers resolve complaints against
banks.
A complaints management system or software solution is a
comprehensive solution for managing complaints from customers and
channel partners. The real-time visibility provided by the customer
complaint software enables organizations to track each complaint
through its lifecycle from recording and initiation to investigation,
reporting, and closure - following the appropriate process to ensure
that nothing slips through or remains unadciressed.

The powerful analytics and reporting capability of the complaint
management systems, with graphical dashboards help managers to
perform trend analysis and spot recurring problems to drive root
cause analysis in a timely manner. Using a complaint handling
software solution, organizations can increase customer satisfaction
and retention through improved responsiveness. Rigorous
management of customer complaint also drives continuous
improvement and regulatory compliance.
A typical complaints management solution enables customer service
representatives and complaint managers to handle a complaint for a
product or service coming from multiple sources like phone, fax,
email, or the web. All crucial details and parameters about the
product as well as the incident are captured. Various technology-
based features boost efficiency and ensure accuracy of information.
Depending on the complaint parameters, the case is automatically
routed for investigation, response, and reporting. Notifications are
sent to relevant departments and personnel and escalation
mechanism is triggered based on problem's severity and priority.
The complaints management system provides complete visibility into
the complaints database and lifecycle with comprehensive aggregate
reporting as well as individual case status tracking. Ability to associate
various complaint types for spotting trends and common sources of
complaints ensure timely preventive actions. Graphical executive
dashboards provide statistics and data by a variety of complaints
parameters. Unique drill-down capabilities allows reaching the finest
level of details to see the underlying data. The systems also provide
quick access to graphical scorecards or tabular data that can be easily
exported in industry standard formats and layouts.
Although a complaints management process may exist, it is important
to know how well it is working. Research indicates that complaints
handled professionally and in a timely manner result in customers
continuing to do business with a company, it is essential that
customers who complain are satisfied with the complaint
management process also. This will not only help to retain business,
but will also reduce the damage that negative 'word of mouth' has
with existing or potential customers.
fermology in banking sector 56

MIS Applications
Initially in businesses, banks and other organizations, internal reporting

was made manually and only periodically and gave limited and
delayed information on management performance. Previously, data
had to be separated and managed manually as per the requirement
and necessity of the organization. Later, data was converted into
information either manually or using standalone computers with
limited analytical capabilities, and so instead of the collection of mass
of data, important and to the point data needed by the organization
was stored.
In the past, business computers were mostly used for relatively simple
operations such as tracking sales or payroll data, often without mudi
detail. Over time, these applications became more complex and began
to store increasing amount of information while also interlinking with
previously separate information systems. As more and more data was
stored and linked applications were created to analyze this data into
further detail, creating entire management reports from the raw,
stored data. The term "MIS" was created to describe these kinds of
applications, which were developed to provide managers with
information afKMH| finance, sales, inventories, and other data that
would help in manac the enterprise. Today, the term is used broadly in
a number of conte and includes (but is not limited to)： decision
support systems, resc and people management applications, Enterprise
Resource Planr (ERP), Supply Chain Management (SCM) and Customer
Relatior Management (CRM) etc.
Management Information systems are information systems, typ

computer based, that are used within an organization. It invc
information technology and comprised of all the components that
cc process, and disseminate information/data. It includes sof
hardware, people, communication channels and data resources
inputting data, processing data, storage of data and information
and i production of outputs.
Management information system is mainly concern with internal of

Information. It takes data from transaction processing systems
summarizes it into series of management reports to be used by
managers and business professionals for decision making. The avail
of large volume of information on electronic media at various Ic
and diverse platform is made available to information system
technologies like data warehousing and data mining. Both
warehousing and data mining plays a vital role in the decision
process of MIS.
All transactions captured at the branch level would get consolidate

central location. Such a central location could be called the
Warehouse of the concerned bank. For banks with large nur
branches, it may not be desirable to consolidate the transaction i
one place only. It can be decentralized by locating the services on
Information Technology in Financial Services

basis. By way of data mining techniques, data available at various
computer systems can be accessed and by a combination of
techniques like classification, clustering, segmentation, association
rules, sequencing, decision tree, various reports such as Statement of
Structural Liquidity, Statement of Interest Rate Sensitivity etc. or
accounting reports like Balance Sheet and Profit & Loss Account can
be generated instantaneously for any desired period or date.
One of the core objectives of banking sector these days is to provide

most satisfying service to the clients. To accomplish this objective
banks are going for the development and implementation of MIS.
Liability Management Systems

In banking, asset and liability management is the practice of managing
risks that arise due to mismatches between the assets and liabilities
(debts and assets) of the bank.
Banks face several risks such as the liquidity risk, interest rate risk,
credit risk and operational risk. Asset Liability management (ALM) is a
strategic management tool to manage interest rate risk and liquidity
risk faced by banks, other financial services companies and
corporations.
These days banks are effectively using ALM systems for keeping track
of the assets vs liability situation. ALM is also a type of management
information system (MIS) that takes the input from other information
systems like the transaction processing systems. The use of ALM
systems enables banks to generate relevant reports timely, accurately
and consistently. Compliance with Government regulations as well as
auditing requirements is also made convenient because the data and
records are accurate and provide a permanent historical map of
transactions that can be verified.
ALM system helps banks evaluate "what if" scenarios. By modifying

the data and variables, management can foresee the effects of various
scenarios on the financial statements and the asset-liability
relationship. ALM system thus serves as a decision making tool,
helping in choosing appropriate financial goals.
CEM in banking Customer relationship management is a broad approach for creating,

maintaining and expanding customer relationships. CRM is the
business strategy that aims to understand, anticipate, manage and
personalize the needs of an organization's current and potential
customers. At the heart of a perfect strategy is the creation of mutual
value for all parties involved in the business process. It is about
creating a sustainable competitive advantage by being the best at
understanding, communicating, and delivering and developing existing
customer relationships in addition to creating and keeping new
customers. So the concept of product life cycle is giving way to the
concept of customer life cycle focusing on the development of
products and services that anticipate the future need of the existing
customers and creating additional services that extend existing
customer relationships beyond transactions.
In banking sector, customer relationship management is defined as
having and acting upon deeper knowledge about the customer,
such how to find the customer, get to know the customer, keep in
touch the customer, ensure that the customer gets what he wishes
from se provider and understand when they are not satisfied and
might leave service provider (the bank). Huge growth of customer
relatio management is predicted in the banking sector in coming
years.[— are aiming to increase customer profitability with effective
cust retention. It is a sound business strategy to identify the bank's
profitable customers and prospects, and devote time and attention
expanding account relationships with those customers thr
individualized marketing, pricing and discretionary decision making.
CRM in banking industry is much different from other sectors, be

banking industry is purely related to financial services, which
needs create the trust among the people. Establishing customer
care su； during on and off official hours, making timely
information about int payments, maturity of time deposits, issuing
credit and debit cum cards, creating awareness regarding online
and e-banking etc required to keep regular relationship with
customers.
A typical Customer relationship management system enables

customer and the company to be in contact for the resolution of
matter or to handle a complaint irrespective of geographical loca"
the channel e.g. phone, fax, email, or the web. The integration
every customer representative at all locations to have a unified v:
the customer. This one view of the customer helps the company
to better and results in greater levels of customer satisfaction as
service quality is guaranteed irrespective of the customer's touc
One-view concept and touch-point independence also creates a c
trail of each customer that is helpful in providing better service.
All crucial details and parameters about every contact instance

captured and stored in a centralized database (data wareho[
efficient retrievals in future. Various technology-based features
efficiency and ensure accuracy of information. Depending m
situation, the case is automatically routed for investigation, respo
reporting as necessary. Relevant notifications may also be pertinent
departments, personnel and the customer.
Sophisticated analytical tools may perform analysis on the

data the CRM databases for identifying trends that may be
useful for i systems, processes and company products.
CRMs also help to cross-sell, i.e. bank customers already

availing banking services may be offered and convinced to
register for new services. For example, a customer
maintaining savings acc opt for a credit card or a house loan.
The CRM data warehouse mined for identification of potential
candidates willing to additional services according to their
banking history and de characteristics.
During the decade there has been a shift from bank centric a ""
customer centric activities. The private sector banks deploy i
strategies to attract new customers and to retain existing customers.
CRM in banking sector is still in evolutionary stage. The use of CRM
in banking has gained importance with the aggressive strategies for
customer acquisition and retention being employed by the bank in
today's competitive milieu. This has resulted in the adoption of

various CRM initiatives by the banks.
To recapitulate, customer relationship management is concerned with

attracting, maintaining and enhancing customer relationship in multi
service organization (banks and others). CRM goes beyond the
transactional exchange and enables the marketer to estimate the
customer's sentiments and buying intentions so that the customer
can be provided with products and services before he starts
demanding or even expecting them. Customers are the backbone of
any kind of business activities, maintaining relationship with them
yield profitable results.
Resource ERP is one of the most widely implemented business software systems in
Planning a wide variety of industries and organizations. ERP is the acronym of
Enterprise Resource Planning. ERP is not only a software, it refers to both the ERP
software and business strategies that implement ERP systems.
ERP implementation utilizes various ERP software applications to

improve the performance of organizations in terms of：
1) resource planning
2) management control and
3) operational control.
ERP software consists of multiple software modules that integrate

activities across functional departments - from production planning (if
applicable), purchasing, human resource management, finance,
customer relations etc. Enterprise Resource Planning systems attempt
to integrate all data and processes of an organization into a single
unified system. A typical ERP system will use multiple components of
computer software and hardware to achieve the integration. A key
ingredient of ERP systems is the use of a single, unified database to
store data for the various system modules.
Enterprise Resource Planning is the evolution of Manufacturing

Requirements Planning (MRP) in 1980s, which was mainly related to
Manufacturing Industry and was designed to control manufacturing
process and planning the required production with efficient output.
Whereas MRP is the evolution of Inventory Management & Control
conceived in 1960s, which was mainly designed for management of
stocks in any particular industry. Since then ERP has expanded from
coordination of manufacturing processes to the integration of
enterprise-wide functions.
The term ERP originally implied systems designed to plan the

utilization of enterprise-wide resources. Although the acronym ERP
originated in the manufacturing environment, today's use of the term
ERP systems has much broader scope. ERP systems typically attempt
to cover all basic functions of an organization, regardless of the
organization's business or
charter. Business, non-profit organizations, nongovernmental organizations,
governments, and other large entities utilize ERP systems.
ERP software attempts to integrate business processes across departments into
a single enterprise-wide information system. The major benefits of ERP are
improved coordination across functional departments and increased efficiencies
of doing business. The implementations of ERP systems help to facilitate day-
to-day management as well as decision making for the achievement of long-
term objectives.
Today there are also web-based ERP systems. Companies prefer to deploy web-
based ERPs because it requires no client side installation and is cross-platform
and maintained centrally. As long as there is an Internet connection available, or
a network connection to a system installed on the LAN, web-based ERPs can be
accessed through ordinary web browsers. This also makes the ERPs availability
independent of the time and 丨 distance limitations.
ERP implementations are not without difficulties and challenges. Customization

of the ERPs is limited. Some customization may require changing of the ERP
software structure which is usually not allowed or possible. Consequently, most
ERP implementations require some kind of re-engineering of business processes
to fit the industry standards prescribed by the ERP system. This may lead to
change management problems and employee resistance to the ERP adaptation.
ERP systems are very expensive to install. In addition to the upfront cost of the
software, extra expenses are required for purchasing the necessary equipment and
development of the supporting technical infrastructure, I consultancy, trainings
etc.
A basic property of the ERP systems is the integration of all organizational |

functions. This is a huge advantage on one hand and a disadvantage of | the
other. This aspect tightly couples various functions. In this situation | the system
can suffer from the 'weakest link' problem as inefficiency in j one department or
function may affect other functions. Another possible I concern is the high impact
of failure as now there is one single point of j crash (the central database).
VeriSys
NADRA has introduced an easy- to-use access tool for verification of

citizens in the country named as Verisys. To verify the issued CNIC and
avoid any fraudulent activities NADRA launched Verisys, which is an
authentication process to provide online verifications of Pakistani citizens
to the government, private and corporate sectors for bringing in
transparency, validation, and elimination of fraud & forgery. This is a web-
based real-time activity displaying the front and rear image of the CNIC
with added hidden information for verifications. Using NADRA's strong
network infrastructure, a reliable and efficient mode of connectivity is
provided to clients even in the remotest areas of Pakistan.
The initial users of this service were government organizations, law

enforcement agencies and large corporations. Later The National Database
and Registration Authority (NADRA) extended its "Online Verification
System" (Verisys) to individuals by installing the VERISYS on the NADRA
Kiosks, to facilitate public in verification of their business needs.
Now by utilizing VERISYS, KIOSKs can also help in providing identity

verification service to the general public reducing the possibilities of ID

card related frauds. This system enables a CNIC holder to verify the
authenticity of computerized ID cards in matters associated with activities
such as employing a servant, carrying out sale/ purchase of vehicles,
property, etc.
With introduction of VERISYS at KIOSKS citizens would now be able to

benefit from an automated authentic database before hiring employees,
renting properties or doing any other type of business.
NADRA VERISYS facility is also available through SMS for the verification of
the particulars of any identity card holder. Through mobile SMS citizens
directly can authenticate the essentials of any person whom they are doing
business by simply SMSing the CNIC number (which is to be verified) on
the special number 7000, and in response, NADRA provides the details
associated to that CNIC (in Urdu fonts).
Example： write 3740149922830 and send to 7000

Charges： Rs.10 plus tax per Message (Around Rs.12 including taxes)
The process of verification is done in real time communication with

NADRA's National Data Warehouse. It is a great step towards helping
eliminate possible threats of identity theft and terrorism.
At the moment this service is available for Mobilink, Telenor and Warid
customers while Ufone and Zong are in process to get listed.
One may think that this is a privacy loop hole, however, as it does not
provide any contact details of the CNIC holder (address or phone number)
and only reveals the name and father's name - so it is acceptable ani helpful
in many ways.
Verisys and Banks The growing security concerns especially in the financial sector
demanding a nationwide network of foolproof authentication systems I
segregate genuine citizens' record from fakes and frauds. Keeping in the
scenario, NADRA established Verisys (and Biosys) to ensure safe ： transparent
commercial activities.
Financial institution like banks, leasing companies and insurance ager etc
that have to validate their customers status have been using traditional
method of keeping the photocopy of customers NIC. But the introduction
of VERISYS, such organizations can easily establish customers' identities in
a hassle free manner.
More than 80 organizations, particularly financial institutions acquired

NADRA's VERISYS/BIOSYS systems to authenticate their through the national
database. So far more than 2.2 million verific of records have been made
using this system. Through these systems 1 banks are able to authenticate the
account holders or applications! loans etc.
The technology which was earlier available in the developed cc only is now
also available in Pakistan and is helping to elin ambiguity about the
borrowers, as verification system is aut updated and accessible to all banks.
This locally developed hie verification system provides a unique solution to
cater a wide users and administration to improve the current disbursement
thus eliminating chances of fraud. NADRA's newly developed identity
verification service, VERISYS would allow all the positively establish their
identities in a fast and cost efl
manner.
This service will also be helpful to law-enforcement agencies asl be

able to get more details as compared to public because another
special number for them. They can get CNIC inforn sending the CNIC
number at 7001.
Subscribers will get details through cellular companies which collect data in
real time communication from NADRA Natic Warehouse. This is a secure data
transfer as service numbers are I as "Special Numbers".
63
Information Technology in Financial Services | Reference
Credit Assessment Systems
Risk is inherent in all aspects of commercial operations. However, for banks

and financial institutions, credit risk is an essential factor that needs to be
managed. Credit risk is the possibility that a borrower will fail to meet its
obligations in accordance with agreed terms. Credit risk, therefore arises from
the bank's dealings with or lending to corporate, individuals, and other banks
or financial institutions.
Credit assessment systems help banks and lending organizations to avoid

credit loss and at the same time maximizing business opportunities by
enabling them to make calculated, objective, and swift risk decisions. As any
credit manager in the banking industry knows, controlling risk is a delicate
business. Too much credit exposure can lead to high default rates and
charge-off percentages； too little exposure often means lost business and
revenue. A credit assessment system help banks manage this balancing act
and provides fast, accurate credit scoring for various consumer-lending
products.
There is a wide range of strategies for measuring the credit worthiness of new
and existing customers in the banking industry, but many of them have
serious limitations. Outsourced strategies can lead to long development cycles
or high annual expenditures. Makeshift in-house scoring strategies often lack
the ability to access necessary data for accurate scoring, leaving credit
managers with no effective way to identify how much potential income or
loss rides on their decisions.
Credit assessment is an independent statistical evaluation of an individual's or

organization's ability to repay debt based on the borrowing and repayment
history. If one has always paid bills and loan installments on time, he is more
likely to have good credit rating and therefore may receive favorable terms
on a loan or credit card, such as relatively low finance charges. However if the
credit assessment is negative or poor because of defaulted payments,
individual or organization may be offered less favorable terms or may be
denied credit altogether.
A corporation's credit rating is an assessment of whether it will be able to

meet its obligations to bond holders and other investors. Credit rating
systems for corporations generally range from AAA or Aaa at the high end to
D (for default) at the low end.
In recent times such decision making has become very complex due to the
involvement of hundreds of variables and huge volumes of data. The solution
is the use of Credit assessment systems. Credit assessment systems are
automated computer-based systems that help lending organizations make
decisions on whether to approve or disapprove credit application from credit
seekers. Credit assessment systems employ large databases and highly
powerful and statistically strong software to analyze the data to determine the
credit worthiness of potential borrowers.
Many off-the-shelf credit scoring systems are available to banks and financial
institutions. Many of these systems have reasonable customization provisions.
A good scoring system provides for risk reduction and makes the bank's offer
more attractive in an exceptionally demanding market of banking products.
Moreover, the scoring systems enable faster response to the market needs
and allow building a competitive advantage.
In general such scoring systems consist of the following

components/modules (which may have different names in different actual
products)：
■ APS (application processing system) - in charge of the information flow

within the system and the logic of credit application processing from the
time of conversation with a client, through application collection,
application verification, processing and evaluation, decision making and
finally to agreement signing and funds disbursement.
_ MSP (models, strategies and procedures) - a set of definition tools

allowing to build models of system structures.
■ Scoring Engine - generates an automated credit recommendation to the

application, based on the evaluation and decision-making strategy
adopted in the MSP definition module.
■ CBS (Customer Behavioral Scoring) - provides a behavioral scoring

functionality.
A possible application processing flow which reflects the actual route it

follows at the banks：
1. Credit Simulator enables preliminary product selection and estimation

of client financial capacity, based on the elementary data, without having
to register the complete credit application (determination of unofficial
preliminary worthiness)；
2. Credit application is entered into the system using defined screen forms
or imported in electronic form from available distribution channels
(email, web etc.)；
3. The client's data listed in the application is completed by information

collected from the bank's internal resources and external systems (e.g.
Credit Bureau)；
4. The application is scored based on the scoring cards and strategy. An

automated credit recommendation is determined；
5. When the application is accepted, a credit agreement is generated and

the information is automatically forwarded to target systems (e.g. funds
disbursement, credit card preparation etc.).

While all components are important as each performs a valuable
function two components are worth mentioning：
Behavioral Scoring
CBS (Customer Behavioral Scoring) component provides a behavioral
scoring functionality： imports data, carries out verification, defines
aggregates based on the data from any number of accounts of a
given type and communicates with the scoring engine. The behavioral
scoring results are available for the purposes of the credit application
scoring carried out by APS component.
Integration with environment

The system is equipped with a set of standard interfaces providing
data exchange with the scoring engine, Credit Bureau database,
stolen identification cards database and unreliable clients databases.
Integration with other dedicated data sources is also possible e.g. FIA
and other law enforcing agencies and NADRA etc.
eClB The role of Credit Information Bureau is integral to credit risk

management and the promotion of a sound credit culture in financial
system. The existence of well functioning credit bureau promotes
prudence and professionalism among financial institutions, adoption
of best business practices and making informed and responsible
lending
decisions in timely manners.
In Pakistan the Credit Information Bureau (CIB) was established ir Functions

and activities of CIB are being governed under Section 25(1 Banking
Companies Ordinance-1962. Ever since its inception, the Pakistan has been
playing a pivotal role in gathering, organizing disseminating critical
information relating to credit-worthiness borrowers to assist financial
Information Technology in banking sector 66
institutions in their lending decisions averting the occurrence of default.
Financial institutions started submitting their borrowers/ data of RsjI million

& above on quarterly basis. Subsequently the frequency oli submission was
shifted from quarterly to monthly basis. In April 2003,.! enhanced the
coverage and effectiveness of CIB by introducing online facilities. CIB was
the first bureau of the region introducing 1 facility to its member financial
institutions. This development financial institutions to upload their data
directly into eClB syster. also generate online CIB reports.
With the growing complexities and emerging challenges on the

landscape, the role of CIB has become even more critical. The CIB aflj
has responded positively to new challenges. From the earlier manually
operated data system, the CIB at SBP has evolved into sophisticated
and hi-tech entity using state-of the-art technc perform its crucial
functions more efficiently. The strengthened and improved operational
efficiency has enabled the CIB to significantly the scope of reporting by
doing away with the minir of Rs. 500,000. The purpose is to capture the
diverse cate borrowers in view of growing exposure of banks to
consumers, ac and SMEs.
The revamped eClB has been operational since 2003. Existing eClB! has been
designed in line with best international credit sharing around the world. The
eClB database has now been capturing 4 million borrowers/ records of about
100 member financial ins
The key improvements of the new system also include：

_ Separation of Consumer and Corporate reports as well as formats
■ Provisions for consumer credit and default history.
_ Improved efficiency in terms of speed, reliability and security j data in

order to reduce the processing cost/time of FIs
■ The new CIB system has been built on latest state of technology
which includes high capacity servers, security broader bandwidth,
point to point data encryption, web capturing software having ability
to capture the data from i level etc.
■ Provisions for online amendments and updations for the FIs.

Incorporation of large number of validation rules on data capturing
application to ensure integrity and accuracy of the submitted data.
■ Automated support and help to the FI users.
The improved capacity and scope of the CIB is expected to deliver the
following benefits：
The eClB database has greatly expanded outreach to a large number of

borrowers who until now remained untapped because of the limit of Rs
500,000/- for reporting purposes. This has important implications with regard
to credit expansion to low-value borrowers of SMEs, agriculture and consumer
finance sectors. The financial institutions, access to credit profile of these
borrowers will not only encourage them to grant loans more willingly to
worthy borrowers but also would help assess their overall credit risk exposure.
This, in turn, will serve to reduce the system's vulnerability to financial

instability.
The new-look CIB has made possible for banks to meet the credit needs of
the emerging sectors on sustainable basis by applying prudent and objective
analysis of borrowers/ credit profiles. This will also be a helpful to those
borrowers, who could not access bank lending because of lack of adequate
collaterals. The strengthened CIB also helps in further boosting the
supervisory capacities with greater access to more reliable and detailed
information. All in all, the reinvigorated CIB is expected to benefits all the
stakeholders' viz. financial institutions, borrowers and regulators to the
ultimate goal of sound financial system.
Fraud/Risk Monitoring
The evolving fraud landscape around banking and the increase in

fraud-related losses necessitates automated detection systems and
robust fraud defense processes. Banking-related frauds have
increased tremendously during the last decade and a half, especially
after the wide spread use of technology and technology-based
channels of service delivery. Naturally, fraud events raise questions
around the credibility of the fraud deterrent processes and the
technological capabilities of the organization.
With acquisitions and expansions spurring the growth in size and

customer base, banks are witnessing a substantial rise in the numbers
and complexity of fraud scenarios. As such, there is a stringent need
for strong monitoring. Also there is an increasing need to identify
early warning signals to capture frauds close to their occurrence.
As financial services organizations face an ever increasing range of

challenges within the financial crime arena, there is a growing focus
on utilizing risk management systems and making greater use of
intelligence in response. Most financial institutions have started to
implement fraud monitoring systems at an enterprise level. These
monitoring and screening systems are scalable and can be calibrated
with new anti-fraud mechanisms as new frauds emerge with the
passage of time. Traditionally, systems have been designed to address
specific fraud risks, products or delivery channels； e.g. credit card
transaction monitoring. Now the need to connect these silos has
become more apparent, consequently a more strategic approach is
needed. Implementing systems which operate across the business and
provide greater flexibility to integrate new data sources and detection
models in response to new threats is a worthwhile objective.
In this context, the country- or region-wise regulators have also

directed financial institutions under their control to continuously
monitor transactions and establish an integrated fraud risk
management framework.
Buying an off-the-shelf system may not equip the bank with the most
effective technical paraphernalia or strategic methods to deal with
frauds. Selecting the right framework and a seamless integration of
bank systems with the fraud monitoring system is integral to
safeguard business and customer interests. Only a centralized
framework (and not a standalone module) can address fraud risks
associated with various business units and products and provide
insights to stakeholders to take preventive action at the right time.
This also eliminates uncertainty around losses due to fraud and helps
the management have a more focused strategy to address fraud-
related risks.

An enterprise-wide Fraud monitoring system and its components：
both offsite and real-time monitoring of frauds based on learning insights from historical fraud
instances and the current industry landscape
Centralized system for fraud monitoring and management of alerts across different systems and data
sources
Intelligent system along with designed case management to suit the needs of the bank, and thus,
prioritize on alerts and areas of greater risk alerts
Management oversight through real-time dashboard/MIS to track operational efficiency and monitor
fraud investigation findings
Make optimum use of the past and current transaction data and fraud database to make continuous
improvements in the dynamic market sphere
State Bank of Pakistan has from to time issued guidelines and

prudential regulations in various areas e.g. Agriculture Financing,
Corporate / Commercial Banking, SMEs Financing, Consumer
Financing, Micro Finance Banking, Branchless .Banking, Payment
Systems and Electronic Fund Transfer etc. In all situations clauses and
rules are defined to avert the possibility of fraud and to safeguard the
interests of all concerned parties especially the client.
Technology in banking sector 70

Real Time Gross Settlement
System (RTGS)
Real Time Gross Settlement Systems (RTGS) are mechanisms that
enable banks to make large-value payments to one another in real-
time using online telecommunication facilities as well as state-of-the-
art computer systems. The payments are settled on gross basis in real
time thus minimizing the systemic risks that are inherent in large-
value net settlement systems.
The Legacy Settlement System in Pakistan for Large Value

Payments
In Pakistan banks are required to hold current accounts with the State
Bank of Pakistan (SBP) which are primarily used to settle large value
inter-bank fund transfers between banks and to meet certain
statutory requirements. Every bank/financial institution that has an
account with SBP is issued with a paper cheque book which is used
to withdraw/transfer funds from its account. The paper cheques were
presented physically at SBP counters daily by banks' treasuries to
settle their payment obligations against other banks. These cheques
were then posted into SBP's banking system to debit the remitting
bank and credit the beneficiary bank usually by the end of day. Thus
the nature of settlements taking place at SBP in the legacy system
might be classified as end of day gross settlement system assuming
significant systemic importance due to the large value of payments
handled and the dependence of other payment systems in the
country on its smooth functioning. This system was prone to various
types of risks affecting the overall efficiency of the banking system
(like systemic risk, settlement risk, liquidity risk).
To overcome the risks of a net settlement system, the concept of

Real Time Gross Settlement Systems (RTGS) started gaining
acceptance especially in late 1990s all over the world. These systems
offered better payment systems mechanisms, for large value
payments, because of their ability to allow market participants to
monitor their positions and settle their payments in real time. They
allowed the monetary authorities to ensure that systemic risks
inherent in any netting based payment systems is effectively
minimized, if not eliminated. And above all they allowed banks'
customers full and immediate utilization of their liquidity by enabling
them to transfer their large payments across banks immediately.
RTGS in Pakistan
Keeping in view the global trend in payment systems development an

the growing payments market in the country, SBP took the decision I
implement the RTGS primarily with assistance from the World Bank.
The implementation process of the project was started in 2005

which finalized in 2008 when the RTGS System was inaugurated
on 1st 2008, the day when the central bank (SBP) celebrated its
60th birthda

From 2nd July 2008, 39 direct member institutions started making
their large value inter-bank payments via the new system.
Following types of transactions take place in RTGS：
■ Inter-Bank Funds Transfers.
■ 3rd Party Funds Transfers (as and when allowed by SBP)
■ Delivery vs. Payment (DvP), Delivery vs. Free (DvF) and Intra Day
Liquidity (ILF) transactions.
■ Own Account transfers Transactions, (as and when allowed by SBP)
_ Multilateral Net Settlement Batches (MNSB) Transactions from NIFT.
The RTGS in Pakistan has been named as Pakistan Real-time

Interbank Settlement Mechanism (PRISM). Using this system, the
banks holding accounts at SBP are able to operate their accounts in
real time from their own premises via computerized network between
SBP and the participating banks. With RTGS, banks are able to settle
with finality their large value transactions affecting their accounts at
SBP (e.g. inter-bank lending/borrowing) immediately, provided
sufficient balance is available in their account. At times, banks may
face temporary shortage of funds in their accounts during the day.
This shortage would be catered for in RTGS through the availability of
intraday repos (a form of collateralized lending). Alternatively, the
transaction can also be queued in the system until the required
liquidity becomes available.
Some broad features of PRISM are：
_ More than forty (40) commercial banks and DFIs are the initial
direct participant members of PRISM. Some other account holders
with SBP are the indirect members of the RTGS system.
■ The participant banks have the facility of online monitoring of their

interbank payments via one settlement account and their fate
(like settled, queued, or rejected). They would also be able to
change their payment priority (if transaction is queued) giving
them more control over their funds.
■ SBP departments have the ability to monitor the inter-bank

transactions and take immediate action as and when required.
■ Intraday Liquidity Facility (ILF) would be offered to banks

collateralized against Government Securities so that the payments
may be cleared immediately.
■ The system also has queue management features and mechanisms

for Grid Lock resolution.
■ The system also holds government securities portfolios and

enables securities trade matching for Delivery Vs Payment and
intra-day liquidity management
■ The IT security component of the system provides PKI infrastructure,
霞丨广 Technology in banking sector 72

transactional and link encryptions for data security.
■ "Centralized Multilateral Netting" of retail clearing was a mandatory

pre-launch requirement for smooth functioning of the PRISM
System. Previously the country-wide retail clearing operations were
settled in the sixteen field offices of SBP across the country. Now
with the help of NIFT (an institution responsible for the clearing
operations of retail cheques), SBP has started country-wide
multilateral netting and centralized settlement of cheques' clearing.
Treasury based market systems
Over the past years global economy has experienced many

challenges. The financial markets are fraught with uncertainty and
caution. Several large financial institutions either collapsed or
experienced the scarcity of tightened credit, stressed over increase of
liquidity risk, lost sleep over shrinking investments, and were exposed
to the affects of fluctuating currencies. All this sheds light on the
need for better controls, quicker access to information, and better
transparency. As this transformation has taken place, the corporate
needs continue to emerge. They need real-time access to information,
system integration, and consolidated global reporting capabilities with
the ability to create on demand reports for senior management. Excel
spreadsheets have their place but are manual and risk prone.
Companies must open their eyes to the need for treasury solutions. In
short, to remain competitive companies need to ensure optimal use
of treasury technology such as a Treasury Management System -
TMS.
A Treasury Management System (also known as a Treasury

Workstation) is a term for a treasury-oriented system or software
package that specializes in the automation of manually-intensive,
repetitive steps needed to manage cash flows. The system allows an
entity to efficiently communicate with other financial institutions in
order to manage cash, transactions, forecasts, FX, and even
investments and debt. The TMS can also seamlessly interface with the
general ledger and back-end databases offering an instant financial
dashboard. All in all, through the proper implementation and use of a
TMS corporations can efficiently respond to the financial needs.
Whether it is a canned software product or a modular 〃ala carte"

type system, Treasury Management Systems (TMS) typically can offer
a range of the following functions：
■ Global Cash Positioning
■ Investment Portfolio
■ Debt Portfolio
■ Future Funding Analysis
■ FX Transaction Portfolio

■ FX Translation Exposure Analysis
■ SOX Compliance
_ Funds Transfer
■ Accounts Reconciliation
■ Cash Forecasting
■ General Ledger Interface
■ Counterparty Risk Management

It is important to understand that TMSs are not a one-size-fits all type
of system. Different organizations depending on their structure, size
and product offerings may need TMSs specific to their needs. A TMS
can be custom build to work seamlessly with the corporate ERP and
back office systems. A good and effective TMS will have solid
technical evolution, ease of use and reporting, and be functionally
complete.
In terms of risk and cost, organizations can no longer afford manual

treasury processes. Yet these inefficiencies are still prevalent.
Companies must look beyond the objective of cost reduction and
focus on the benefits of managing the downside with a TMS. The
effort required in maintaining spreadsheets and the cost of errors and
omissions could easily outweigh the investment in technology.
Managing the downside of not having a TMS may be more than
enough justification to invest in one.
Summary
Over the years banks have extensively explore IT and has taken
advantage of its potential to the fullest. And now, banking operations
without information and technology support are unimaginable. To
remain competitive banks must continuously innovate and invest in
information technology. Banking packages consists of different
modules each related and catering to a basic function of banking. A
bank may select a suitable package out of the available solutions
while keeping following factors in mind： Ease of use by end-users,
Training requirements & cost, Alignment with business goals and
objectives, Budget constraints etc. TEMENOS T24 is the most
technically advanced banking system available today. T24 achieves its
high scalability feature through an efficient and scalable architecture
based on multiple TEMENOS T24 servers. This means that as volumes
expand, further servers can easily be added improving performance
and also improving availability. Desktop systems includes word
processors, spreadsheet software and presentation programs. Banks
also use variety of communication software and tools： electronic-
mail, VoIP communication, video conferencing, instant messages and
groupware. Banks also use Transaction processing systems. A
transaction processing system is a type of information system. TPSs
collect, store, modify, and retrieve the transactions of an organization.
Information Technology in banking sector 74

The prominent networks available in Pakistan for interbank operations
are Society for Worldwide Interbank Financial Telecommunication
(SWIFT), Real Time Gross Settlement System (RTGS), 1LINK and Mnet.
(SWIFT) operates a worldwide financial messaging network which
exchanges messages between banks and other financial institutions.
Popular card processing systems include VISA'S VisaNET and
MasterCard's Worldwide Network. A complaints management system
or software solution is a comprehensive solution for managing
complaints from customers and channel partners. Management
Information systems are information systems, typically

computer based, that are used within an organization. It involves
information technology and comprised of all the components that
collect, process, and disseminate information/data. Asset Liability
management (ALM) is a strategic management tool to manage
interest rate risk and liquidity risk faced by banks, other financial
services companies and corporations. These days banks are effectively
using ALM systems for keeping track of the assets vs. liability
situation. In banking sector, customer relationship management is
defined as having and acting upon deeper knowledge about the
customer, such as how to find the customer, get to know the
customer, keep in touch with the customer, ensure that the customer
gets what he wishes from service provider and understand when they
are not satisfied and might leave the service provider (the bank). ERP
is one of the most widely implemented business software systems in
a wide variety of industries and organizations. ERP is the acronym of
Enterprise Resource Planning. ERP is not only software. ERPs refers to
both； ERP software and business strategies that implement ERP
systems. NADRA has introduced an easy-to-use access tool for
verification of citizens in the country named as Verisys. NADRA
VERISYS facility is also available through SMS for the verification of
the particulars of any identity card holder. Credit assessment systems
help banks and lending organizations to avoid credit loss and at the
same time maximizing business opportunities by enabling them to
make calculated, objective, and swift risk decisions. Many off-the-shelf
credit scoring systems are available to banks and financial institutions.
Many of these systems have reasonable customization provisions. Real
Time Gross Settlement Systems (RTGS) are mechanisms that enable
banks to make large-value payments to one another in rea卜time
using online telecommunication facilities as well as state-of-the-art
computer systems. The payments are settled on gross basis in real
time thus minimizing the systemic risks that are inherent in large-
value net settlement systems. A Treasury Management System (also
known as a Treasury Workstation) is a term for a treasury-oriented
system or software package that specializes in the automation of
manually-intensive, repetitive steps needed to manage cash flows.
Reference This chapter is compiled using web resources at the follow *
Links exhaustive list of URLs：
http：//www.answers.com/topic/word-processing#ixzz1X3pNJ1nh
http://www.webopedia.eom/TERM/W/word_processing.html
http://www.ehow.com/list_7557725_features-spreadsheets.html
http://www.ehow.com/list_5910644_disadvantages-spreadsheets.html
http://wiki.answers.eom/Q/What_are_the_features_of_presentation_software#ixzzl
http://www.teachict.com/gcse/software/presentation/miniweb/pg2.htm
http://communication.howstuffworks.com/email.htm http://en.wikipedia.org/wiki/Email
http://www.webdevelopersnotes.com/basics/advantages-of-email.php
http://www.ehow.com/list_6913517_video-conference-basics.html
http://www.articlesnatch.com/Article/Video-Conference-Basics/2033518
http：//www.suite101.com/content/an-introduction-to-video-conferencing-a120924
http://www.ehow.com/facts_5122228_definition-video-conference.html http://www.web-
conferencing-zone.com/definition-of-groupware.htm http://www.wisegeek.com/what-is-
groupware.htm http://EzineArtides.com/5738824
http://www.christianet.com/christianpenpals/onlineinstantmessaging.htm
http://www.chatsure-enterprise.com/advantages.html http://www.corporate.visa.com/about-
visa/technology-index.shtml
http://www.metricstream.com/solutjons/complaints_management.htm
https://pure.ltu.se/ws/files/31052486/LTU-PB-EX-07b21-SE.pdf http://www.bonair.com.pl；
info@bonair.com.pl http://www.sbp.org.pk/ecib/about.htm
http://www.answers.eom/topic/treasury-workstation#ixzz1XYkNanfg
tion Technology in banking sector 76

Part 3： Introduction to the
In this Part
Internet
The Origins of the Internet Internet Uses
Information and Transaction Websites Static
and Dynamic Web pages Internet's Impact
on Business Internet's Impact on Specific
Industries Supply Chain Management and the
Internet Internet Tools Electronic Commerce
Pure versus Partial EC Electronic Commerce
Types E-Commerce Benefits E-Commerce
Disadvantages Social Media
Social Media Risks and Challenges

Learning Outcome By
partThree
Introduction to the Internet the
end of this chapter you should be able to：
_ Define and explain the Internet and list its functions
■ Discuss the evolution of the internet and its current-day use
■ Differentiate between information and transaction based
■ Differentiate between static and dynamic web pages
■ Explain how the internet has impacted today's business p

■ Illustrate with an example how the internet has changed business
practices
■ Define and discuss search engines and list their key features
■ Define online tools and explain and illustrate how they can Used
■ Define and describe E-commerce and online trading
■ List the various social media tools available
■ Describe the opportunities that social media platforms pr

■ Describe the potential risks of using and not using social platforms
for marketing and public relations
78
Information Technology in Financial Services i|
The Origins of the The Internet was the result of some visionary thinking by people in the
Internet early 1960s who saw great potential value in allowing
computers to connect and share information on research and
development in scientific and military fields. J.C.R. Licklider of MIT
(Massachusetts Institute of Technology, USA), first proposed a global
network of computers in 1962, and moved over to the Defense
Advanced Research Projects Agency (DARPA) in late 1962 to head the
work to develop it. Leonard Kleinrock developed the theory of packet
switching, which was to form the basis of Internet connections.
Lawrence Roberts connected a Massachusetts computer with a
California computer in 1965 over dial-up telephone lines. Roberts in
1966 developed his plan for ARPANET (Advanced Research Projects
Agency Network). These dreamers and many more are the real
founders of the Internet.
The Internet, then known as ARPANET, was brought online in 1969

which initially connected four major computers at universities in the
southwestern US (UCLA, Stanford Research Institute, UCSB, and the
University of Utah). By June 1970, MIT, Harvard, BBN, and Systems
Development Corp (SDC) in Santa Monica, Cal. were added. By
January 1971, Stanford, MIT's Lincoln Labs, Carnegie-Mellon, and
Case-Western Reserve University were added. In months to come,
NASA/Ames, Mitre, Burroughs, RAND, and the University of Illinois
plugged in. After that, there were far too many to keep track.
The early Internet was used by computer experts, engineers, scientists,

and librarians. There was nothing friendly about it. There were no
home or office personal computers in those days, and anyone who
used it, whether a computer professional or an engineer or scientist
or librarian, had to learn to use a very complex system.
E-mail was adapted for ARPANET in 1972. The @ symbol was chosen
from the available symbols to link the username and address. The
Internet matured in the mid 1970's as a result of the TCP/IP
architecture which was developed throughout the 1970's.
While the number of sites on the Internet was small, it was fairly easy
to keep track of the resources of interest that were available, but as
more and more universities and organizations connected, the Internet
became harder and harder to track. There was more and more need
for tools to index the resources that were available.
The first effort to index the Internet was done in 1989, when Peter
Deutsch and his crew created an 'archiver' for sites, which they named
Archie. This software would periodically reach out to all known openly
available ftp sites, list their files and build a searchable index for the
user. This was naturally a great help.
In 1989 another significant event took place in making the Internet

friendly and easier to use. Tim Berners-Lee and others proposed a
new protocol for information distribution. This protocol, which
became the World Wide Web in 1991, was based on hypertext - a
system of embedding links in text to link to other portions of text.
to the Internet 78

Since the Internet was initially funded by the US government, it was originally limited to
research, education and government uses rather than for profit purposes. Commercial uses
were prohibited unless they directly served the goals of research and education. This policy
continued until the early 1990's, when independent commercial networks began to grow. It
then became possible to route traffic across the country (USA) from one commercial site to
another without passing through the government-funded Internet backbone.
As the Internet has become ubiquitous, faster, and progressively accessible to non-technical
user communities, social networking and collaborative services have grown rapidly；
enabling people to communicate and share interests in many more ways. Sites like
Facebook, Twitter, Linked-ln, YouTube, Flickr and many more allow people of all ages to
rapidly share their interests with others everywhere.
Flickr
Radi USENE 2004
Postal Service o T listserv flickr
Persia 550BC 1891 1979 Friendster NaP?ler
2002
Twitter
2006
tHrdîce YQUQ
gjmyspace QI
Third tpbccfw Mends
Voice MySpace YouTub

1978 IRC 1999 2003 e
w HBHjf 1988 2005
i# I Email
1966
HHI
MU01 Blogger
1999 Delicious
A 1978 2003
Telephone •婪•眷
1890 Epinions
MoveOn u»m
1996 epinioons
Telegraph CompuServe 1999 Digg
France 1792 1969 2004
With the evolution of the Internet, it became harder and harder to
keep track of the websites and web pages. Anticipating that this
problem would only become worse as the network expanded,
researchers launched an effort to design a more distributed and easy
way of providing the information about the sites on the Internet. The
end result was the Domain Name System (DNS) which allowed
hundreds of thousands of "name servers" to maintain small portions
of a global database of information associating IP addresses with the
names of computers on the Internet.
The naming structure was hierarchical in character. For example, all

host computers associated with educational institutions would have
domain '.edu', hence the site names would be names like
"www.ned.edu.pkn or "www.iba.edu.pk".
The designers of the DNS also developed seven generic "top level"
domains, as follows： Education - EDU, Government - GOV, Military -
MIL, International - I NT, Network - NET, (non-profit) Organization -
ORG and Commercial - COM. Top-level domain names were also
created for every country： Pakistan names would end in ".PK,〃 while
the ending ".FR" was created for the name of France. Based on these
naming principles we have web addresses like ibp.org.pk and
nadra.gov.pk.
The Domain Name System (DNS) was and continues to be a major

element of the Internet architecture, which contributes to its
scalability and ease of use.
Internet Uses Nowadays, the name //lnternet,/ has become so common that people
who are unaware of the Internet are considered naive and out of
touch with modern communications. Due to the speedy development
of technology and globalization, societies and communities are
becoming more and more unified and Internet users are continuously
growing.
1.Internet shopping has also become popular amongst users,

especially in developed nations； this is because 〃shop on
Internet" is more efficient than physically going into the stores.
Shopping on the Internet also saves time and a product can be
selected without having to travel long distances. Using the
Internet, shoppers can compare product prices from various
stores by sitting at one place and just by a few mouse-clicks. Also
they can now shop online for items which are normally only
available in foreign countries and rather than having to travel to
the country to take delivery of the goods, they can place the
order online and have it delivered to their homes.
2. Internet also gives users the opportunity to communicate

effectively and efficiently. For example, sending e-mail costs less
than posting a letter in the mail, especially for people who have
to communicate internationally. An e-mail can also be sent within
a minute of being written. The recipient of the e-mail can view it
at any time and from any place, as it is a virtual means of
communication as opposed to having a mail box or home
address where letters are physically delivered.
3. Internet use is of course not limited only to shopping and

communication with people but also provides an environment for
news distribution and constant updating of the latest news. Data
can be easily accessed from every part of the world at any time
of day or night that is 24/7 availability.
4. The Internet is also a very good form of communication for

people who want to express their own viewpoints, as numerous
online platforms are available for promoting ideas and causes.
5. The Internet is also being used for education with numerous

online study programs available and access to websites for
research.

6. As well as access to knowledge, the Internet can also be used for
entertainment, such as playing online games, downloading
movies, music, etc.
7. Modern businesses could not survive in the competitive global

market place without making use of the Internet for
communication, research, marketing, advertising and promotion,
etc and it is now inconceivable that any organization, large or
small, or even any individual, who wants to be a meaningful part
of the "global village'' created to some extent by the Internet,
does not have a website.
In general, the popularity of the Internet is contributing to almost all

domains of society. People are becoming more dependent on the
Internet for use in their day-to-day work as well as in areas outside of
work but it can only be a real enhancement to modern life if it is
used properly and responsibly.
Information A brochureware website is a business website that has very infrequently

and Transaction updated content. Often the site has been developed
as a direct conversion Websites of existing printed promotional
materials, hence the name. Brochureware sites therefore take little
advantage of the capabilities of the web that are unavailable in
printed publication. These sites are commonly used by small and
medium businesses that need a web presence to provide product,
contact and location information, but do not need (or want) e-
commerce or other interactive features. In design terms these sites
are often produced on very small budgets.
An information-based website provides valuable information as its

main commodity and attraction rather than selling a physical product.
These types of websites are designed to provide features and content
that focus on expressing ideas, sharing knowledge, or building a
community by offering a near infinite number of things including
news, articles, interactive games, forums, multimedia, messaging and
so on. The goal of these sites is to build an environment that
encourages repeat visits through constantly updated content that
maintains visitors' interest.
An information-based website can be a very lucrative way to do

business online, mainly because a product doesn't have to be
manufactured and shipped and all that is needed is to take
advantage of the tools and technologies of the web to showcase
product information. These types of websites have the potential to be
the entire backbone of a successful business, without the need for
physical stores or actual products. These sites can also serve as a way
to build brand, reputation, and market exposure online.
In terms of design, information-based websites are almost an

evolution of a brochureware website. However, rather than being
static and straightforward they take more advantage of the

capabilities the web has to offer, including dynamic and interactive
content, communications tools and technologies and multimedia
support (e.g. video clips, audio etc.)- Information-based websites offer
more independence and uniqueness in
design than brochureware sites. That implies that they are more complex, involve much
more development and maintenance work and require more features and constantly fresh
content, but at the same time there is much more opportunity for revenue generation
and exposure than a basic brochureware site would ever have.
In contrast to an information-based website, a transactional website is a website where

customers are able to order goods or services online and complete the transactions for
the goods or services they want to buy (including online payment). Built-in features
include the collection of information from website users and / or distribution of that
information via the website. The information collected is typically stored in backend
databases for later use and analysis by the company's information system. The
information distributed normally comes from that same database or an existing source of
data containing product information, for example.
These types of websites give rise to several matters that need to be considered, such as
certainty of the contract between the buyer and the seller, the enforceability of the
contract, security of payment, warranty and liability issues and delivery of goods or
services, etc.
Web pages can be either static or dynamic. "Static" means unchanged or constant, while
"dynamic" means changing or active. Therefore, static web pages contain the same pre-
built content each time the page is loaded, while the content of dynamic web pages can
be generated according to what is required for any particular (changing) situation.
Standard HTML pages are static web pages. They contain HTML (Hyper Text Markup
Language) code, which describes the organization and content of the web page. Each
time an HTML page is loaded, it looks the same. The only way the content of an HTML
page will change is if the web developer updates and uploads the new file.
Other types of web pages, such as PHP, ASP and JSP pages are dynamic web pages.
These pages contain a "server-side" code, which allows the server to generate unique
content each time the page is loaded. For example, the server may display the current
time and date on the web page. It may also output a unique response based on a web
form the user filled out (e.g. the user may be addressed by his/her name). Many dynamic
pages use a server-side code to access database information, which enables the page's
content to be generated from information stored in the database. Websites that generate
web pages from database information are often called database-driven websites.
It may be often obvious if a page is static or dynamic simply by looking at the page's file
extension in the URL (Uniform Resource Locator). If it is ".htm" or ".html," the page is
probably static. If the extension is ".php," ".asp," or ".jsp," the page is most likely dynamic.
While not all dynamic web pages contain dynamic content, most have at least some
content that is generated dynamically.
Internet's Impact The Internet and its myriad of applications, tools and technologies have
on Business been adopted quickly by most businesses since the mid-
1990s. The Internet has affected communication paradigms,
advertising methods, information access and dissemination
83
mechanisms, workforce mobility, business practices and operational
methods of businesses across domains and sectors.
Communication Capabilities
Use of Internet technologies and access options have expanded the
capabilities of laptops, desktops and workstations. Employees are able
to communicate with each other via e-mail, instant message
programs, office intranet, local area networks and wide area networks.
Fosters Collaboration
Internet communication technologies and networking software enable
employees to collaborate on projects across locations and
geographical boundaries.
Transactions and E-Commerce

Web-based interfaces, payment gateways, and encrypted and secure
portals have simplified quicker transactions for businesses. Invoices,
purchase orders and online tracking systems have fostered productive
e-commerce relationships with vendors, partners and suppliers.
Workforce Mobility
Wireless Internet options in notebooks, smartphones and other
mobile hand-held devices allow frequent travelers, busy business
executives and off-site employees to work anywhere, at any time,
without beiti® "chained" to a traditional office environment.
Web-enabled Enterprise Applications

Enterprise information technology paradigms such as cloud
computi metadata search, software as a service and online office
suites h gained credence as Web-based business models and
operational prac—- have been adopted by many businesses.
Internet's Impact on Employment and Placement Specific Industries Traditionally, job

matching was done in several ways ranging advertisements in
newspapers to the use of corporate recruiters employment
agencies' services. Now the job market has largely n: online. The
online job market connects employers with pot employees. The
new channel is becoming increasingly popular employers and job
seekers are turning away from the traditional me to online
advertisements and recruitment activities, which have a reach at
extremely low cost. Hundreds of websites offer corr between job
seekers and employers. Nearly all Fortune 500 com now use the
Internet for the majority of their hiring activities.
Real Estate
The increasing presence and realization of Internet possibilities
opportunities in the real estate business is creating a drive and willingness for change and
slowly adding pressure to transform the old ways of doing things. The increase in Internet
real estate advertising is influencing buying behaviors. Recent studies show that over 77
percent of real estate buyers begin their searches for properties on the Internet. Reputable
online real estate brokerage services are now available all over the world.
Stock Trading
Online stock trading began in the 1990s. Today the majority of stock trading is carried out via
the Internet. The commission for online trade is extremely low as compared to an average fee
of a full-service off-line traditional broker. With online trading there are no busy telephone
lines, and chances of errors are less as there is no human intervention resulting in confusions
and these translating into financial losses. Orders can be placed from anywhere and at any
time. All these factors have resulted in a totally changed stock trading industry.
Banking
Online banking in recent years has become a mainstream Internet activity. Online banking
includes various banking activities conducted via the Internet from home, office or on the
road rather than at a physical bank location. Consumers can use e-banking to check their
accounts, pay bills, secure loans, etc. Internet-based banking saves time and money for both
consumers and banks. This topic will be explored in more detail in a later part of the book.
Years ago, before the development of current technology, it was more customary for firms to
hide supply chains from customers and suppliers. As a result, companies moved at a much
slower pace and did business at a slower speed, probably because they had no choice.
The Internet in particular and technology as a whole have intensely impacted on the way
companies do business, the way supply chains operate and the way they interface with
customers and partners. The biggest impact technology has had on supply chains is to make
them less obscure. Because of the Internet, companies are now much more connected to the
other companies they do business with. It has become more convenient and helpful to use
technology to increase communications and interactions with other companies in ways that
can benefit an organization. For example, inventory control systems are commonly used to
track inventory levels and automatically send purchase orders, expected demand schedules
and past sales statistics to suppliers. This fact allows companies to make better and quicker
decisions and can translate to fewer risks. If a company sells less of a product than expected,
their system will identify this and automatically order less of that product so that inventory
does not accumulate and cause financial problems for the company. This also leads to
quicker, more convenient transactions, and eliminates the need to use physical cash.
As compared to the traditional and manual methods of the past, the Internet has also made
it easier for companies to manage clients,
M
resources, logistics and operations, to extend customer and partner
bases and introduce almost immediate reporting of performance
changes. This has increased the likelihood that a supply chain's
reliance on Internet technologies will not decrease in the foreseeable
future.
85
Internet Tools A tool is a device that can be used to produce an item or achieve a
ta but that is not consumed in the process. Informally the word is
also u to describe a procedure or process with a specific purpose.
The Internet has grown enormously and become more complex wr

millions of websites and users. Consequently it has become
difficult manage and effective tools are required to derive the
most benefits fr it. Internet tools are basically used to make
Internet use much easier.
The very first tool used for searching on the Internet was
"Archie"(19 as mentioned earlier. Archie did not index the contents
of websites si the amount of data at that time was so limited it
could be rea searched manually. In 1991, two new search
programs, "Veronica" a "Jughead" were introduced. One of the first
nfull text" crawler-ba search engines was WebCrawler, which came
out in 1994. Around 2 Google's search engine rose to prominence.

AltaVista is a web sea! engine owned by Yahoo! AltaVista was
once one of the most pop search engines but its popularity has
declined with the rise of Google.
相伽_ yw* cf.?gj *，X [j- - v-- Coo^cCîoceeef in north gmio
◎ © » な'** @S«
PSI1*!* O6*^ x •»； I S S # * ：.:^ *

X 丨》■:
Macs
processes over electronic networks.
Googi
i human s soceities « north geofgia
[Gooê Seafch rm Fedmg Li
Arf^tstng Program耷-B^sinfss $o?îQns • ^feotrt <?qo^
Search engines consist of 3 main parts. Search engine 'spiders' follow links on the web to
request pages that are either not yet indexed or have been updated since they were last
indexed. These pages are crawled and are added to the search engine index (also known
as the catalog). When the web is searched using a major search engine, a slightly
outdated index of content which roughly represents the real content of the web is
actually searched. The third part of a search engine is the search interface and relevancy
software.
When a user enters a query into a search engine (typically by using key words), the
engine examines its index and provides a listing of best-matching web pages according
to its criteria, usually with a short summary containing the document's title and
sometimes parts of the text. Unfortunately, there are currently no known public search
engines that allow documents to be searched by date. Most search engines support the
use of the Boolean operators AND, OR and NOT to further specify the search query. The
engine looks for the words or phrases exactly as entered. There is also concept-based
searching where the research involves using statistical analysis on pages containing the
words or phrases to search for. Essie is an example of a concept-based search engine.
The usefulness of a search engine depends on the relevance of the results it gives back.
While there may be millions of web pages that include a particular word or phrase, some
pages may be more relevant, popular, or authoritative than others. Most search engines
employ methods to rank the results to provide the "best" results first. How a search
engine decides which pages are the best matches, and what order the results should be
shown in, varies widely from one engine to another. The methods also change over time
as Internet usage changes and new techniques evolve.
'Commerce Electronic commerce (EC) is the process of buying, selling, transferring or

exchanging products, services and/or information via computer networks including the
Internet. EC can be defined from the following perspectives：
Business process： From a business process perspective, electronic commerce is

conducting business electronically by completing business

Service： From a service perspective, EC is a tool that addresses the
needs of governments, firms, consumers and management to cut
service costs while improving the quality of customer service and
increasing the speed of service delivery.
Learning： From a learning perspective, electronic commerce is an

enabler of online training and education in colleges and universities
and other organizations including businesses.
Collaborative: From a collaborative perspective, EC is the framework

for inter- and intra-organizational collaboration using a variety of
tools and applications.
Community: From a community perspective, electronic commerce

provides a meeting place for community members to socialize, learn,
interact and collaborate.
Sometimes the term "commerce" is used only to describe transactions

conducted between business partners. If this definition of commerce
is used, the term "e-commerce〃 would be fairly narrow. Thus, the
term "e-business" is used instead. E-business refers to a broader
definition of EC, not just buying and selling of goods and services but
also servicing customers, collaborating with business partners,
conducting e-learning and carrying on electronic transactions within
an organization. Hence e-business is the use of the Internet and other
information technologies to support commerce and improve business
performance.
Most electronic commerce is done over the Internet, but EC can also
be conducted on private networks, such as value-added networks
(VANs), on company's local area networks (LANs) using intranets or
on a single computerized machine. For example, buying a soft drink
from a vending machine and paying with a smart card can be
considered an EC activity.
Pure versus EC can take several forms depending on the degree of digitization of
Partial EC (1) the product or service sold/transacted (2) the process (e.g.
ordering, payment, fulfillment) and (3) the delivery method. The
framework shown below explains the possible configurations of these
dimensions. The product may be physical or digital, the process may
be physical or digital and similavlv the delivevv method mav be
physical ov digital. These alternatives create eight possibilities, each
with three dimensions. In traditional commerce, all three dimensions
are physical. In pure e-commerce, all dimensions are digital. AW other
possibiWt'ies 'mc、ude mix of digital and physical dimensions.
Partial Electronic Pure Electronic
Commerce Areas Commerce
Q_
pnpoJ
processes over electronic networks.
濯p: 丨;r; --V；:?'；；" -
Digital Product
W Process
//
Traditional
,Digital Process
Physical Product Commerce
, / Physical Process
Physical Digital # Delivery Method
Agent Agent
If there is at least one digital dimension, the situation is considered e-

commerce but partial. For example, purchasing a book from
Amazon.com is partial e-commerce because while the processes or
ordering are digital, the product and delivery dimensions are physical.
However, buying software from a software e-store would be a pure e-
commerce example because the product, process and fulfillment are all
digital.
Electronic Commerce E-commerce can be broken into four main categories： B2B, B2C, C2B,
Types and C2C. "
B2B (Business-to-Business)
B2B is considered one of the most attractive and extensively developing
e-commerce trends nowadays. Companies doing business with each
other, such as manufacturers selling to distributors and wholesalers
selling to retailers, are instances of B2B e-commerce. Pricing is based on
quantity of order and is often negotiable. The information technology
systems of partners often require compatibility and interconnection.
Hence initial investment is essential.
B2C (Business-to-Consumer)
Business to consumer is the most familiar type of e-commerce. This
mode丨 is used when the business is a supplier/seller and the consumer
is the purchaser, usually an individual end user. The most common set-
up for this type of e-commerce is for the business to sell items through
its website. Usually, these businesses offer a catalog and an online
shopping cart, and the business is able to accept payment through its
website, although through a transparent arrangement with a service
provider. The consumer then has immediate access to the service online,
or the product is shipped to them directly. Prices in this model are
generally fixed.
An example of business to consumer e-commerce is Pizza Hut. Pizza

Hut was the first delivery restaurant to offer e-commerce on their site.
Consumers who order pizzas through Pizza Hut's website have the
option to pay online or upon delivery or pick-up.

C2B (Consumer-to-Business)
Consumer to business e-commerce occurs when a consumer is selling a
product or service to a business. In this instance, a consumer is defined as
a non-business entity. The most obvious example of this type of e-
commerce is the relationship between a freelancer (e.g. a software
developer) and a possible employer (e.g. a software house). A freelancer, or
the consumer, sets the price first instead of the other way around, and the
business decides if that price is fair. An example of this type of e-
commerce is Get-A-Freelancer, where freelancers offer their services to
companies who post available work. This type of e-commerce is least
popular in Pakistan.
C2C (Consumer-to-Consumer)
There are many sites offering free classifieds, auctions and forums where
individuals can buy and sell thanks to online payment systems like PayPal
where people can send and receive money online with ease. eBay's auction
service is a great example of the e-business model where person-to-person
transactions have been taking place every day since 1995.
G2G (Government-to-6overnment), G2E (Government-to-Employee), G2B

(Government-to-Business), B2G (Business-to-Government), G2C
(Government-to-Citizen), C2G (Citizen-to-Government) are other forms of
e-commerce that involve transactions with the government - from
procurement to filing taxes to business registrations to renewing licenses.
There are other categories of e-commerce also, but they tend to be
superfluous.
E-Commerce Technology nowadays continues to bring about more and more surprises
Benefits for everyone. As the improvements in Internet technology continue to radically
change the way businesses are made and done, e-commerce continues to shower its
benefits onto all its users. Some of the Internet benefits are：
■ E-commerce offers buyers convenience. Buyers have increased

opportunities for buying alternative products. Buyers can also vis::
websites to compare prices and make purchases. This can all be done
in the comfort of their homes or offices from any place in the world.
■ Buyers can immediately obtain a product or service such as ar?

electronic book, a music file, or computer software, by download r>: it
over the Internet. These e-files are normally also cheaper than tt>e
physical product.
■ Catalog flexibility and online fast updating allows sellers to k、 costs

down and allows for faster market testing. Sellers don't have
maintain a physical store or print and distribute mail order catalog
■ Lower cost of doing business. There is no need to maintain a

work force. Automated order tracking and billing systems
additional labor costs. Orders placed online cost less than the
order through traditional means.
90
■ A global market allows products to be sold all over the world.
Sellers have the potential to market their products or services
globally and are not limited by the physical location of a store.
■ More efficient business relationships can be created by Internet

technologies. These new technologies allow sellers to track the
interests and preferences of their customers with the customers'
permission. This information can then be used to build an
ongoing relationship with customers and also to customize
websites to meet customer needs.
_ Easier for anyone to start a business. If one has a product or

services to sell, these can be sold online without requiring
investment in physical locations (showrooms, etc). This allows
people who could not otherwise afford to start a physical
business to sell and promote their products/services.
E-Commerce Aside from the tremendous advantages of e-commerce, it also has its
Disadvantages faults and drawbacks. However, most of these shortcomings can be
overcome easily with the use of pertinent knowledge, relevant technology and
responsible behavior.
_ Lack of security and privacy. Consumers need to be reassured that

credit card transactions are secure and that their privacy is
respected.
■ Low service levels. It's hard to ask questions of an online catalog

about a product. Physical businesses with physical employees can
help customers by answering any questions about the product.
This drawback is being diminished with the advancement in
technologies that allow quick interaction.
■ The inability to test the product. Many people prefer to

physically inspect the product before purchasing, especially
expensive products. This is a major hindrance in the popularity of
e-commerce, especially in under-developed and developing
countries where people prefer to touch, fee丨 and test products
before making purchases.
■ Social experience is a big reason many people go shopping.

Going to the mall and hanging out with your friends is a valuable
social experience for many, it's impossible to recreate that
experience on the internet.
■ Legal issues can come into play buying things online. Since
the internet is a globe market place it's very hard to regulate
across a country's physical borders.
■ Online scams are still a very reai threat even though they have
been on the decline over the last few years. These scams can
sometimes be very hard to detect and make people scared of
buying online.
M
Introduction to the Internet

■ Lack of trust in EC and in unknovwn buyers/sellers also hinders dealings. People
do not yet sufficiently trust paperless, faceless transactions.
Social Media Social media are media for social interaction, using highly accessible and
scalable communication techniques. Social media is the use of web-based and mobile
technologies to turn communication into interactive dialogue.
Another definition could be that "Social media are a type of online media that expedite
conversation as opposed to traditional media, which delivers content but doesn't allow
readers/viewers/listeners to participate in the creation or development of the content'
Because "social media" is such a broad term, it covers the description of a large range of
websites. But the one common link between these websites is that users are able to
interact both with the website and with other visitors to the website.
Generally any website that invites to interact with the site and with other visitors falls
into the definition of social media. Following are some examples of social media
websites：
■ Social Bookmarking (e.g. Blinklist, Simpy) - Interact by tagging websites and searching
through websites bookmarked by other people.
■ Social News (e.g. Digg, Propeller, Reddit) - Interact by voting for | articles and
commenting on them.
Social Networking (e.g. Facebook) - Interact by adding friend commenting on

profiles, joining groups and having discussions.
■ Social Photo and Video Sharing (e.g. YouTube, Flickr) - Interact sharing photos or
videos and commenting on user submissions.
■ Wikis (e.g. Wikipedia, Wikia) - Interact by adding articles and edit existing articles.
麵麵
A NEW PERSPECTIVE
IS ALWAYS OOQD.
mmm
Businesses are always evolving, and therefore businesses are always going to be affected
by new trends and ways of thinking. The latest trend to really hit businesses is social media.
Sites like Twitter and Facebook have taken off as business platforms that have really
enabled businesses to reach out.
Social media has been such a benefit for businesses because it is inexpensive to use. Not
only are most social platforms free to use, but they reach out to millions of people. There
are an estimated 500 million people using Facebook (according to Facebook). This means
that a business has access to a potential client base of 500 million people. Granted, there
are a lot of people out there socializing, but there are others out there who want to know
more, about businesses and opportunities.
Social media is very simple to use. A company can even assign an individual to be in
charge of social media and not have to worry too much about training. The company's
social networking strategy is as complicated as the company makes it out to be.
An easy to use and free platform reaching out to millions of people means a huge return
on investment. If a company makes even one sale because they have used social media, it
is a win for the company. Social media can be used as a cheap form of advertising instead
of having to spend large amounts of money on an advert that might be used once.
Social media is going to completely revolutionize how business is done in the near future.
Once businesses harness its full potential, and the last remaining holdouts come on board,
it will level the business playing field. The best thing about social media is that small
companies can use the same tools as large companies to compete, while making the
consumer the overall winner.
In the use of social media, organizations are seeing increased brand recognition, customer
satisfaction and sales revenues. It is now easy to obtain consumer feedback - often within
minutes of a news announcement or product launch. And monitoring what the competition
and customers are doing and saying has never been easier.
Companies in Select Countries that Successfully Use Social Networks for Customer Acquisition, 2010 & 2011
% of respondents
161%
China
65%
us ________________
■HHHHB35。,。I
I 43%
! 41%
_______________ 40% 47%
12010 _2011
Source： Regus, "A Social Recovery： A global survey of
business social networking." June 7, 2011
i to the Internet —JP

In the rush to acquire tens of thousands of online friends for their
Social Media Risks brands, many companies are not pausing to consider the potential
and Challenges risks. Since social media tools are new to many organizations and
do not require an additional IT infrastructure, they may be introduced
to the enterprise by a business unit, marketing team or individual
employees, bypassing the normal safeguards and risk assessment
provided by the IT, HR and legal departments.
For these reasons, it's important to create a social media governance

strategy and a plan to address the risks that come with these new
communication tools. There are three scenarios that companies
should consider when evaluating risk：
1. The use of social media as a business tool to communicate

with customers, employees and other stakeholders.
2. Access to social media sites while employees are on the corporate

network.
3. Employees/ use of social media tools from their corporate-issued

mobile devices, which are often not subject to the same controls
and monitoring as corporate computers.
To effectively manage social media use, organizations should develop

a documented strategy - with associated policies and procedures -
that involves all relevant stakeholders. This inciudes leaders from the
business units, sales and marketing, risk management, HR and legal
departments. This holistic approach helps ensure that risks are being
viewed through the lens of broader business goals and objectives.
The five primary business risks associated with the use of social
media are：
1.Introduction of viruses/malware to the corporate network.
2. Branding hijacking, such as a brand being impersonated on a site.
3. Unclear or undefined content rights to information posted on

social media sites.
4. Unrealistic customer expectations of service through the ability to

communicate with companies online 24/7.
5. Non-compliance with record management regulations because of

mismanagement of electronic communications.
The introduction of social media can produce significant shifts in

both culture and process - particularly in the areas of
communications, marketing, customer service and business
development. As companies consider setting up a social media site
fan club, they should look to established frameworks such as Risk IT
and COBIT for clear processes and controls to help them form sound
social media governance policies.

Some questions to consider are： What is the strategic benefit to
leveraging this technology? What are the risks, and do the benefits
outweigh the costs? What new legal issues does it raise? How will customer
privacy issues be addressed? How will awareness training be delivered to
employees? Does the enterprise have enough resources to sustain this type
of initiative?
Clearly, the use of social media provides new entry points for technology
risks such as malware and viruses. But what magnifies these risks is the lack
of employee understanding of the potential threats. A social media
governance strategy should focus first on user behavior by developing
policies for personal use in the workplace, personal use involving business
information outside the workplace, and business use. These policies should
be reinforced through ongoing training and awareness programs.
As social media sites continue to grow in popularity, organizations should

embrace them, not block them. But companies that want to succeed at
social media governance need to look beyond technology controls and
empower employees to reduce risk by becoming more aware of the threats.
Summary The Internet is here to stay and prosper. While it started as a research project
half a century ago, it has now become an integral part of personal lives and
businesses. The early Internet was used by computer experts, engineers,
scientists. There was nothing friendly about it. The Internet started to
mature beyond the mid 1970's as a result of the TCP/IP architecture. The
first effort to index the Internet was done in 1989. As the Internet became
ubiquitous, faster, and increasingly accessible to non-technical communities,
social networking and collaborative services began to grow rapidly, enabling
people to communicate and share interests in many more ways. The use of
the Internet has now become so common that people who are unaware of
it are thought of as being completely out of touch with modern globalised
communications.
Internet uses include shopping, communication, banking, learning, etc. Every

day hundreds and thousands of websites are added to the World Wide
Web. Websites can be either informational or transactional depending on
their interactiveness. The Internet and its myriad of applications, tools and
technologies have been adopted quickly by most businesses since the mid-
1990s. The Internet has affected communication paradigms, advertising
methods, information access and dissemination, workforce mobility,
business practices and operational methods of businesses.
The Internet has grown enormously and became more complex, with
millions of websites and users. Consequently it has become difficult to
manage and effective tools are required to derive the most benefits from
Search engines are the most popular and useful Internet tool. Search
engines comprise three parts： crawlers or spiders, an index and a search
interface.
94
Introduction to the Internet
The Internet has helped to create new revenue streams for businesses
and new business models. Electronic commerce (EC) is the process of
buying, selling, transferring or exchanging products, services and/or
information via computer networks including the Internet. EC can take
several forms depending on the degree of digitization of (1)the
product or service sold/transacted (2) the process (e.g. ordering,
payment, fulfillment) and (3) the delivery method. Popular e-
commerce types are B2B, B2C, and C2C etc.
E-commerce benefits include convenience, cost, time and effort

savings, access to more options, etc. Concerns include those of
security, trust and some legal issues.
Internet popularity has also grown in the social domain and social
media have matured during the past few years. Social media are
media for social interaction, using highly accessible and scalable
communication techniques. Social media is the use of web-based and
mobile technologies to turn communication into interactive dialogue.
Businesses have also started using social media to sell, market and
launch new products, etc. Some questions to consider regarding
social media are： What is the strategic benefit to leveraging this
technology? What are the risks, and do the benefits outweigh the
costs? What new legal issues does it raise? How will customer privacy
issues be addressed?
Reference Links http://www.walthowe.com/navnet/history.html

http://www.ehow.com/facts_5595213jmpact-internet-business.html
http://community.mis.temple.edu/mis3537sec001s11/2011/04/21/comment-on-wee k-2-impact-of-internet-on-
supply-chains/
http://stongeassociates.wordpress.com/2011/06/09/reducing-social-media-risks/
Part 4： Introduction to Networking
In this part Basic concepts
Networking trends
97
!3^! ________ Introduction to
Networking
Student Learning
Outcome
By the end of this chapter you should be able to：
■ Describe basic networking technologies
■ List network infrastructure devices _ List
networking media
_ List types of networks (LAN,MAN,WAN, etc)
■ List the issues in online branch banking connectivity
■ List various networking trends (WiFi, Broadband,VPN)

What is a Computer Discrete computers provide prospects for tremendous productivity gains,
Network? but they become many times more potent when they're connected to
one another in data networks that give them the ability to share data and processing
resources. With a network, coworkers can read and edit an evolving document from
their own computer with minimal effort and coordination. Without a network, these
colleagues have to share time on the same computer or work out a process for
exchanging removable storage media. In a similar fashion, networks can create
economies of scale by running resource-hungry applications on high-power hardware.
In the broadest sense, a network is an interconnected group of 'items' capable of
sharing meaningful information with one another. In a technology context, network is
usually short for "computer network" or "data network" and implies that computers are
the items sharing the meaningful information. At a conceptual level, all data networks
consist of nodes, which refer to any computer or digital device using the network and
links, the physical connections (either wired or wireless) that carry messages between
nodes.
Data networks are important to all present-day organizations because they provide
quicker, easier access to any message or data that can be represented and stored in
digital format. In many contemporary organizations, large distances separate coworkers,
and data sharing becomes a major logistical problem in the absence of a network.
In addition to data sharing, computer networks also allow resource sharing, an

important consideration in all budget-conscious organizations. Rather than buying one
printer for every employee and replacing them when they wear out, an organization
with a network can buy a single printer, connect it to the network and configure it in
such a way that every computer user in the organization can print to it. The initial cost
of a networked printer is typically more than the cost of a single desktop printer, but
when considering costs on a per-user basis, the average cost of the networked printer is
often much less than the cost of buying a printer for every employee. While some
networked devices such as printers, scanners and fax machines have predetermined,
specialized functions, one can also network and share generic, unspecialized computing
power in the form of servers. Servers are large, powerful computers that can handle
resource-intensive tasks more efficiently than desktop computers. As with the networked
printer, the initial expenditure for a server is more than that for a desktop computer,
but across the organization, it's often cheaper to run the server-based version of a
program since individual users won't need expensive, high-performance desktop and
laptop computers. Servers can also deploy software to other networked machines at a
lower cost.
A pioneer in creating computer networking technology, engineer Robert Metcalfe

developed a theory concerning the usefulness of networks that became popular during
the 1990s. Metcalfe's Law claims that the possible value of a communications network
Network Value • increases exponentially with its size. Metcalfe's Law was intended to be
Metcalfe's Law an approximation and a relative measure of value for comparing two
networks or the growth of one. For example, under this Law, a network
with 10 endpoints or nodes (value =
置 Techt\oloq\/ in Financial Services \ Reference Book

10x10=100) is approximately 4 times more useful than a network half
the size (5 endpoints with value 5x5=25). Metcalfe's Law characterizes
many of the network effects of communication technologies and
networks such as the Internet, social networking and the World Wide
Web. Websites and blogs such as Twitter, Facebook and Myspace are
the most prominent modern examples of Metcalfe's Law.
Marc Andreesen, one of the founders of the Web, said：
A network in general behaves in such a way that the more nodes that are added to it,
the whole thing gets more valuable for everyone on it because all of a sudden there's
all this new stuff that wasn't there before. You saw it with the phone system. The
more phones that are on the network, the more valuable it is to everyone because
then you can call these people. Federal Express, in order to grow their business,
would add a node in Topeka and business in New York would spike. You see it on
the Internet all the time. Every new node, every new server, every new user expands
the possibilities br ei/e/yone else who's already there.
Data Packets A packet is a fundamental unit of communication over a digital network.

A packet is also called a datagram, a segment, a block, a cell or a
frame, depending on the protocol. Packets vary in structure
depending on the protocols implementing them. When data has to be
transmitted, it is broken down into smaller and similar structures of
data - the packets, which are reassembled to the original data chunk
once they reach their destination.
A packet consists of two kinds of data： control information and user

data (also known as payload). The control information provides data
the network needs to deliver the user data, for example： source and
destination addresses, i.e. the sender's IP address, the intended
receiver's IP address, error detection codes and sequencing
information- something that tells the network how many packets this
message has been broken into and the number of this particular
packet. Typically, control information is found in packet headers and
trailers, with user data in between.
Network A computer network is comprised of a large number of communication

Infrastructure devices. Computer networking devices are units that
arbitrate data in a Devices computer network. Computer networking
devices are also called network equipment, Intermediate Systems (IS)
or Interworking Unit (IWU). Units which are the last receiver or
generate data are called hosts or data terminal equipment. The
simplest device that is used in the communication is the NIC (Network
Interface Card) adapter which is attached to every computer in a
network. NIC and other more advanced devices are discussed below.
Network Interface Card:

Network Interface Cards (NIC) are adaptors attached to a computer or
other network devices to provide the connection between the devices
and the network. Each NIC is designed for a specific type of network
sudi
as Ethernet, Token Ring, or wireless LAN. NIC basically defines the physical connection
methods with the cable and the framing methods used to transmit bit streams over the
network. It also defines the control signals that provide the tinning of data transfers
across a network. In new computers, NICs are now mostly pre-installed by the
manufacturers.
Hubs：
A hub, sometimes known as a concentrator or repeater hub, refers to a networking
component which acts as a merging point of a network, allowing the transfer of data
packets. In its simplest form, a hub works by repeating the data packets received via
one port and making it available to all ports, therefore allowing data sharing between
all devices connected to the hub.
T^w pack^ oic?«f« from ihm to cNf lim c&ymctmS to Ifm fmt
A network hub is a fairly unsophisticated broadcast device. Hubs do not manage any of
the traffic that comes through them and any packet entering any port is regenerated
and broadcast out on all other ports in the network. Since every packet is being sent
out through all other ports, packet collisions result which greatly hinders the smooth
flow of traffic. This feature of hubs also creates security concerns as the message is
置 Techt\oloq\/ in Financial Services \ Reference Book

received by all nodes and not just the intended recipient.
Historically, the main motive for purchasing hubs rather than switches was their price.
This stimulus has largely been excluded by reductions in the price of switches, but hubs
can still be useful in special and explicit circumstances
Switches
A network switch is a hardware device that joins multiple computers together within
one local area network (LAN). Network switches may appear nearly identical to network
hubs, but a switch generally contains more intelligence (and a slightly higher price tag)
than a hub. Unlike hubs, network switches are capable of examining data packets as
they are received, determining the source and destination device of each packet and
forwarding them appropriately to that location only. By delivering messages only to the
connected device intended, a network switch helps ； control network traffic and
conserves network bandwidth, offerir generally superior performance than a hub. This
feature also make switches more secure than hubs.
Desktop
Comput
er
,,Switch '
Printer Database
Different models of network switches support differing nur

connected devices. Most consumer-grade network switches
either four or eight connections for network devices. Switches
connected to each other, a so-called daisy chaining method
progressively larger number of devices to a LAN.
Routers
Network routers are intelligent devices that forward and
packets along networks. A network router connects at least
twoi commonly two LANs or WANs or a LAN and its ISP
network. A i located at a gateway (where one network meets
another).Thei responsible for the delivery of packets across
diverse net destination of the IP packet might be a web
server in another* an e-mail server on the local area network.
It is the respons router to deliver those packets in a timely
manner. The effe internetwork communications depends, to a
large degree, of routers to forward packets in the most

efficient way poss

關 TA
M
A router has two crucial jobs:

■ The router confirms that information doesn't go where it's not
needed. This is vital for keeping large volumes of data from
jamming the network.
■ The router makes certain that information do make it to the

intended destination.
In performing these two jobs, a router joins the two networks,

passing information from one to the other and in some cases,
performing conversions of various protocols between the two
networks. It also protects the networks from one another, preventing
the traffic on one from unnecessarily spilling over to the other. This
process is known as routing.
A router may generate or/and maintain a routing table of the

available routes and their conditions and use this information, along
with distance and cost algorithms, to determine the best route for a
given packet, i.e. shortest routes and/or with least traffic. Typically, a
packet may travel through a number of network points with routers
before arriving at its destination.
A router which connects end-users to the Internet is called an Edge

router and a router which serves to transmit data between other
routers is called a Core router.
^tworking 104
In addition to packet forwarding, a router provides further services as
well. To meet the demands on today's networks, routers are also
used：
■ To guarantee steady, reliance availability of network connectivity.

Routers use substitute parts in cases where the primary
component fails to achieve delivery of packets.
■ To provide integrated services of data, video and voice over wired

and wireless networks.
■ For security, a router helps in mitigating the impact of worms,

viruses and other attacks on the network by permitting or
denying the forwarding of packets, thus performing the
firewalling function.
Some other specialized network devices are Gateways, Bridges,

Repeaters, etc.
Network Media Communication across networks is carried on a medium which provides

the channel over which the message or data travel 什om source to
destination. Modern networks primarily use three types of media to
interconnect devices and to provide the pathway over which data can
be transmitted. These media are：
■ Metallic wires within cables
■ Fiber optic cables
■ Wireless transmission
Choosing the cables necessary to make a successful LAN or WAN
connection requires consideration of the different media types. Each
media type has its advantages and disadvantages. Some of the
factors to consider are： cable length, cost, bandwidth, ease of
installation, susceptibility to interferences and noise etc. It is also
possible and very common to use different types of media in setting
up of a network. For example, wire and wireless media may be used
in a certain network. Also coaxial cables and fiber optic cables may be
used in the same netw set-up.
Metallic wires within cables

The most widely used network medium is copper wire. Since it is
a conductor of electricity, the digital signals generated by the
computer converted into electrical signals so that they can be
sent over network. The disadvantage of copper wire is that there
is too energy loss if the message is sent over long distances.
The different of copper wires are described as follows：
UTP (Unshielded Twisted Pair)

Unshielded twisted pair cable is the most popular cable type
today's networks. It consists of two or more pairs of
unshielded copper wires. It is extensively used in telephone
systems ar world and in computer networking due to its low
cost, easy i and maintenance. UTP cables provide

transmission speeds of 上
^tworking 106
(Megabits per second) to 100 Mbps, depending on the type and category of the cable
used. The disadvantage of this cable is that it cannot be used for networks spread over
long distances, as its runs are limited to 100 meters or less as after this length the signal
strength weakens, a phenomenon called attenuation. Attenuation is a limitation in all
metallic wires, ranging from mild to severe. As UTP is not shielded, it is more sensitive to
electromagnetic interference.
STP (Shielded Twisted Pair)

Shielded twisted pair cable contains one or more pairs of twisted wires that are insulated
with a metal foil to minimize electromagnetic interference. The metal shield is connected
to the ground to prevent external signals from getting into and internal signals from
getting out of the cable. Different types of STP cables with different characteristics are
available. The right type is selected keeping in view the size of network, performance
requirements and budget. These cables provide transmission speeds of up to 16 Mbps in
Token rings and an overall speed of up to 155 Mbps. The maximum segment it provides
is usually 100 meters, although a few hundred meters is also possible. The advantage of
using the STP cable is that its ability to reduce the EMI (electromagnetic interference) is
better than the UTP cable. Its disadvantages are that it is costly and provides less speed
than the UTP cable.
o(or-
Codwl
Plastic
Coaxial Cable:
Coaxial cables consist of an insulator that separates the braided inner conductor and the
outer conductor, which is a woven copper braid. These cables are commonly used for
cable TV connections in homes. Coaxial cable is of two types, namely the Thinnet and the
Thicknet, depending on the thickness of the cable. Thinnet supports a maximum segment
length of 185 meters and Thicknet can send signals up to 500 meters. The cost of the
cable depends on which type of cable is used. Thinnet is less costly and easier to install,
whereas Thicknet is costlier and demands more efforts in installation. The transmission
speed these cables provide is between 2.5 Mbps and 10 Mbps. Coaxial cables are more
resistant to electromagnetic interferences than UTP and STP cables, as they use insulators
to Networking 107
to minimize external interference.
Fiber Optic Cable

Fiber optic cables are made up of glass and they transmit data in the form of light, unlike
the copper wire that uses electrical signals. A reflective coating that allows light beams to
travel without outer interference covers the glass cable. The advantages of Fiber optic
cables are that signals can be sent at a much higher speed and to very long distances
without the risk of outer interference. Since no metallic conductor is used, attenuation is
no longer a problem and even larger distances can be reached without losing signal
power. This makes fiber optic cables the most suitable choice for establishing network
backbones extending over very large distances.
Wireless (unguided) Transmission

Wireless transmission is the sending and receiving of data packets distance without
the use of wires. Wireless network transmission is for locations where physical
mediasuch as coaxial cables, UPT/SP fiber optic are not possible to deploy. The
demand for communications is increasing exponentially.
Wireless communication can be performed in a variety of ways such as wireless Ethernet,
GSM, Bluetooth, Infrared, Wi-Fi and Wi-Max. Similarly, broadband wireless is an emerging
wireless technology that allows the concurrent delivery of voice, video and data signals.
All these technologies are based on different standards and specifications.
Wireless transmission can provide special services and conveniences, such as connection
to the Internet or other networks without connecting to a wire directly, hence giving
mobility and ease of use. It can also facilitate the creation of networks in special
situations, such as in terrain that is unfavorable to wired media.
Types of Networks There are various types of networks which are used world-wide these days, both
domestically and commercially. These networks are used on the basis of their scale and
scope, historical reasons and their design and implementation issues. LAN and WAN are
mostly known and used widely. LAN, local area network, was first invented for
communication between two computers. WAN emerged in due course of time with
changing needs and as the technology became available.
LAN operates through cables and network cards. Later WLAN, Wireless local area
network, was formed through the LAN concept.There are no wires involved in
communication between computers. As mentioned already, LAN is the original network
out of which other networks are formed according to requirements. Some popular types
are as follows：
LAN - Local Area Network

A local area network (LAN) is a computer network that attaches computers and devices in
a limited geographical area such as home, school, computer laboratory or office building.
The defining features of LANs, in contrast to wide area networks (WANs), include their
usually higher data-transfer rates, smaller geographic area, lack of a need for leased
telecommunication lines and moderate cost. Most local area networks are built with
relatively economical hardware such as coaxial cables, network adapters and hubs.
Wireless LAN and other more advanced LAN hardware options also exist.

WAN - Wide Area Network
A wide area network (WAN) is a telecommunications network, usually used for
connecting computers, that spans a large geographical area. WANs can be used to
connect cities, countries, or even continents. WANs are often used by large
corporations or organizations to enable the exchange of data, and in a wide variety
of industries. Corporations with facilities and offices/branches at multiple locations
have embraced WANs with great enthusiasm. Increasingly, however, even small
businesses are utilizing WANs as a way of increasing their communications
competences. Although WANs serve a purpose similar to that of local area networks
(LANs), WANs are structured and operated rather differently. The user of a WAN
usually does not own the communications lines that connect the remote computer
systems； instead, the user subscribes to a service through a telecommunications
provider. Unlike LANs, WANs typically do not link individual computers, but instead
are used to link two or more LANs. WANs also transmit data at slower speeds than
LANs. WANs are also structurally similar to metropolitan area networks (MANs), but
provide communications links for distances greater than (approximately) 50
kilometers. The largest WAN in existence is the Internet.
WANs have existed for decades, but new technologies, services, applications have
developed over the years to dramatically increase efficacy for business. WANs
were originally developed for di leased-line services carrying only voice, rather
than data. Conseque they linked the private branch exchanges (PBXs) of distant
offices branches of the same company. WANs are still used for voice services,
today they are used more frequently for data and image transmi ' (such as video
conferencing). These added applications have encou significant growth in WAN
usage, primarily because of the surge in connections to the wider networks.
WANs can be used for almost any data sharing purpose for which can be used.
Slower transmission speeds, however, may make applications less practical for
WANs. Efforts are being made to over such shortcomings and there are
noticeable successes. The most uses of WANs are for electronic mail and file
transfer, but WANs can

permit users at remote sites to access and enter data on a central
site's database, such as instantaneously updating accounting records.
New types of network-based software that facilitate productivity and
production tracking, such as groupware and work-flow automation
software, can also be used over WANs. Using groupware, workers at
dispersed locations can more easily collaborate on projects, sharing
documents and designs. WANs also give remote offices access to a
central office's other data communications services, including the
Internet.
MAN - Metropolitan Area Network

A metropolitan area network (MAN) is a network that interconnects
users with computer resources in a geographic area or region larger
than that covered by even a large local area network (LAN) but
smaller than the area covered by a wide area network (WAN). The
term is applied to the interconnection of networks in a city into a
single larger network (which may then also offer efficient connection
to a wide area network). It is also used to mean the interconnection
of several local area networks by bridging them with backbone lines.
The latter usage is also sometimes referred to as a campus network.
A MAN might be owned and operated by a single organization, but it

usually will be used by many individuals and organizations.
Network Topologies Topology is the network's virtual shape or structure. This shape does not
necessarily correspond to the actual physical layout of the devices on
the network. For example, the computers on a home LAN may be
arranged in a circle in a family room, but it would be highly unlikely
to find a ring topology there.
Network topologies are categorized into the following basic types：
■ Bus
■ Ring
■ Star
_ Tree
Mesh
More complex networks can be built as hybrids of two or more of the
above basic topologies.
Bus Topology
Bus networks use a common backbone to connect all computing
devices. A single cable, the backbone functions as a shared
communication medium that devices attach or tap into with an
interface connector (e.g. NIC). A device wanting to communicate with
another device on the network sends a broadcast message onto the
wire that all other devices see, but only the intended recipient actually
accepts and processes the message. The term "broadcast〃 is used
because the message goes to all devices/computers connected to the
bus. A terminator is required at each end of the bus cable to prevent
the signal from bouncing back and forth
iction to Networking
on the bus cable.
Bus topologies are relatively easy to install and don't require much cabling compared to
the alternatives so there is generally a low upfront cost. However, there is a higher cost of
managing the network. Bus networks work best with a limited number of devices. If more
than a few dozen computers are added to a network bus, performance problems will likely
result, including longer delays and greater collisions of data packets. In addition, if the
backbone cable fails, the entire network effectively becomes unusable.
Ring Topology
In a ring network, each connected device has exactly two neighbors for communication
purposes. All messages travel through a ring in the same direction (either "clockwise" or
"counter clockwise"). Each device incorporates a receiver for the incoming signal and a
transmitter to send the data on to the next device in the ring. The basic problem of ring
topology is that each workstation should participate actively in transfer of the information
a failure in any cable or device breaks the loop and can take down the entire network -
the network is dependent on the abilih of the signal to travel around the ring.

Star Topology
In networks with a star topology, each network host (for example a PC) is connected to a
central hub with a point-to-point connection. The "hub" may be a hub, switch or router.
Devices typically connect to the hub with Unshielded Twisted Pair (UTP). All traffic on the
network passes through the central hub that acts as a signal booster or repeater.
The star topology is considered the easiest topology to design and implement. An advantage
of the star topology is the simplicity of adding additional nodes. Compared to the bus
topology, a star network generally requires more cable, but a failure in any star network cable
will only take down one computer's network access and not the entire network. If the hub
fails, however, the entire network also fails.
Tree Topology
Tree Topology is a combination of the bus and the star topology. Tree topologies integrate
multiple star topologies together onto a bus. In its simplest form, only hub devices connect
directly to the tree bus, and each hub functions as the "root" of a tree of devices. This
bus/star hybrid approach supports future expandability of the network much better than a
bus (limited in the number of devices due to the broadcast traffic it generates) or a star
(limited by the number of hub connection points) alone.
A tree topology is supported by many network vendors and is the best topology for branched
out networks. However, the tree topology network is entirely dependent on the trunk which is
the main backbone of the network. If that were to fail, then the entire network would fail. A
tree topology network can become complicated and difficult to manage after a certain point.
Mesh Topology
Mesh topologies involve the concept of routes. Unlike each of the previous topologies,
messages sent on a mesh network can take any of several possible paths from source to
destination. The mesh network is based on a very practical concept and has red jced
chances of a network breakdown. There are so many possible combinations of routes and
hops (movement of data packet from one node to another) a data transfer can take that it
will reach the destination one way or the other. It is highly unlikely that all the nodes in a
single mesh network will break down at any given point of time.ln a mesh network every
node is connected to other nodes on the network through hops. Some are connected
through a single hop and some may be connected with more than one hop.
While the data is travelling on the mesh network it is automatically configured to reach
the destination by taking the shortest route which means the least number of hops. Data
travels by hopping from one node to another and then reaches the destination node in a
mesh topology network.
A mesh network in which every device connects to every other is called a full mesh. As
shown in the illustration below, partial mesh networks also exist in which some devices
connect only indirectly to others. A full mesh network may be considered more effective
(more routes available) botj can be difficult to manage.
if Information Technology in Financial Services | Reference

Networking Trends
The ability to get connected is the basis for all other technologies. Today, the Internet offers
the fastest and easiest information access ever, with services such as online banking,
shopping, stock trading, news postings, email, and more. Businesses are more and more
capitalizing on the Internet with e-commerce opportunities. With everyone exchanging data
almost instantly, it's networking that keeps everyone connected.
Networks connect people to the ultimate of all networks, the Internet, where networks of all
sizes connect to form a global information system. As more users discover online resources
and new applications are developed, networking must become more efficient to support ever-
increasing numbers of users.
Innovations of all kinds are being proposed to enhance networking applications, and sharing
Internet connections through networks is quickly becoming one of the key advantages of
networking. On the computing level, Gigabit Ethernet is expected to boost network speeds up
to 1000Mbps, and Network-Attached Storage (NAS) and Storage-Area Network (SAN) media
will expand, centralize and manage data storage.
In a broader outlook, all these factors drive a strong market demand for a universal system of
communications connecting more than just PCs. New techniques for data transfer are being
developed to achieve interoperability among PCs, cellular phones, PDAs, cameras and other
multimedia devices. Bluetooth is just one of the exciting developments in wireless technology,
bridging data lines between PCs, cellular phones and other small electronic devices using
short-range radio wave transmission. As data transfer finds new paths and wireless technology
frees it from physical lines, a complete package for voice, data, and entertainment
convergence is inescapable.
In fact, the market already confirms convergence as the future of networking. Network data
can now travel over all types of cabling, including ethernet cable, fiber optic cable, phone
lines, and power lines. Hybrid devices are combining multiple technologies and hardware
functions into a single multi-tasking device, such as set-top boxes (devices that connect to a
television and an external source of signal, turning the signal into content) for merging TV
and PC data and residential gateways for handling a home network's security and high-speed
Internet connections. To take it one step ahead, these gateways are expected to evolve into a
single device, controlling home security on top of network security, as well as networking
household appliances like refrigerators and central air conditioning.
The next generation of Internet consumers have much to expect. Information will flow more
spontaneously as voice, video, and data merge to travel over the same pathways. The Internet
itself will be overhauled, increasing the number of IP addresses and implementing IPSec
(Internet Protocol security) to enhance security on the Internet and support the development
of VPNs, or Virtual Private Networks. IP telephony, or Voice Over IP (VoIP) has already allowed
two-way audio transmission, meaning free or low-cost long-distance phone conversations via
the Internet, as well as faster downloading of music and video files.
Wi-Fi The term Wi-Fi suggests Wireless Fidelity, resembling the long-
established audio-equipment classification term "high fidelity" (in use
since the 1930s).The term "WhFi" was first used commercially in
August 1999.
WトFi is a wireless standard for connecting electronic devices. A Wi-Fi

enabled device such as a personal computer, video game console,
smartphone, and digital audio player can connect to the Internet
when within range of a wireless network connected to the Internet. A
single access point (or hotspot) has a range of about 20 meters
indoors. Wi-Fi has a greater range outdoors and multiple overlapping
access points can cover large areas.
In addition to private use in homes and offices, Wi-Fi can provide

public access at Wi-Fi hotspots provided either free of charge or to
paying subscribers to various commercial services. Organizations and
businesses such as those managing airports, hotels and restaurants,
often provide free-use hotspots to attract or assist clients.
Organizations or authorities who wish to provide services or to
promote business or a cause in selected areas sometimes provide free
Wi-Fi access.
Wi-Fi Advantages and Challenges

■ Many Wi-Fi networks support roaming, in which a mobile client
station such as a laptop computer can move from one access
point another as the user moves around a building or area.
■ Many access points and network interfaces support various degr

of encryption to protect traffic from interception.
■ Wi-Fi is a global set of standards. Unlike cellular carriers, the s

Wi-Fi client (e.g wi-fi enabled cell phone or laptop computer)
w in different countries around the world.
* Allows LANs to be deployed without cabling, potentially

reducing costs of network deployment and expansion. Spaces
where ca cannot be run, such as outdoor areas and historical
buildings, host wireless LANs.

_ Wi-Fi technology pricing continues to come down, making Wi-Fi a very
economical networking option and promoting inclusion of Wi-Fi in an ever-
widening selection of devices.Wi-Fi products are widely available in the
market. Different brands of access points and client network interfaces are
interoperable at a basic level of service. Products designated as Wi-Fi
CERTIFIED by the Wi-Fi Alliance are interoperable.
There are several advantages of Wi-Fi, as highlighted earlier, but all is not well in
the wireless networking scenario. There are several challenges confronting the
industry and hundreds of thousands of experts are working to solve these and
provide unhindered wireless access to users. Listed below are the noticeable
demerits of Wi-Fi networks.
■ The most significant shortcoming of Wi-Fi is the range. There are obvious
improvements in this aspect but still more work is needed. The signal needs
to be stronger to provide larger connectable spaces.
■ Radio wave conflicts. If W卜Fi is used near other radiation emitting devices
such as microwave ovens and cordless phones, the resulting conflicts
between devices and networks tend to slow down the Wi-Fi device. In older
versions of Wi-Fi the conflicts were so high that, if the device was too near a
microwave, the data transfer would immediately stop. Additionally, some of
the wireless adapters work on the frequencies that are currently used by
many other wireless devices. This can cause serious interference, so the
connection performance can be quite poor.
■ Most public areas (airports, resturants, etc) do not use security modules,
making Wi-Fi users' data transfer unsafe. A lot of attention is being given to
this aspect as this is a major limiting factor in the widespread use of this
technology.
■ Wi-Fi technologies are power hungry. This presents a clear disadvantage for
users of laptops and other battery-dependent devices. The battery industry is
still trying to develop the technology which will enable manufacturing of long
lasting, compact sized and light weight batteries. If Wi-Fi consumes so much
electricity it would be a damper on the very concept of mobility because
users will have to look for the nearest power point if they wish to use Wi-Fi
Internet or any other applications over the network.
Broadband In general, broadband refers to telecommunication in which a wide band of

frequencies is available to transmit information which means that information can
be multiplexed and sent on many different frequencies or channels within the
band concurrently, allowing more information to be transmitted in a given
amount of time (much as more lanes on a highway allow more cars to travel on it
at the same time).
The term "broadbancfalso more commonly refers to high-speed Internet access.

Broadband can be simply defined as a fast connection to the Internet that is
always on. It allows a user to send e-mails, surf the Web, download images and
music, watch videos, join a web conference, and
much more.
Access is gained through one of the following methods： Digital Subscriber

Line (DSL), Cable Modem, Fiber optic and Wireless / Satellite.
Broadband access is faster than dial-up and different in the following ways：
■ Broadband service provides higher speed of data transmission —allows

more content to be carried through the transmission "pipeline" in a given
unit of time.
■ Broadband provides access to the highest quality Internet service —

streaming media, VoIP (Internet phone), gaming, and interacti¥e| services.
Many of these current and newly developing servict require the transfer of
large amounts of data which may not technically feasible with dial-up service.
Therefore, broadbar service may be increasingly necessary to access the full
range services and opportunities that the Internet can and will offer.
■ Broadband is always on - does not block phone lines and no need.笔

reconnect to network after logging off.
■ Less delay in transmission of content when using broadband.
Virtual PrivateAs a business grows, it might expand to multiple offices across country
Network and around the world. To keep things running efficiently, people working
in those locations need a fast, secure and reliable' share information across
computer networks. In addition, trav employees such as salespeople need an
equally protected dependable way to connect to their business's computer
network i remote locations.
One prevalent technology to accomplish these goals is a VPN (v private

network). A VPN is a private network that uses a public (usually the Internet) to
connect remote sites or users together, uses "virtual" connections routed
through the Internet from the bi private network to the remote site or
employee. By using businesses ensure security by means of data encryption
scrambling the original message that can only be decrypted by a i recipiant
having the valid key-anyone else intercepting the en data can't read it.
Main
Office
Business
Partner
Remote
Office
Regionat Hcmie Mobile Office Office Worker

Today, the Internet is more accessible than ever before, and Internet service
providers (ISPs) continue to develop faster and more reliable services at
lower costs than leased lines. To take advantage of this, most businesses
have replaced leased lines with new technologies that use Internet
connections without sacrificing performance and security. Businesses started
by establishing intranets, which are private internal networks designed for
use only by company employees. Intranets enabled distant coworkers to
work together through technologies such as desktop sharing (a common
name for technologies and products that allow remote access and remote
collaboration). By adding a VPN, a business can extend all its intranet's
resources to employees working from remote offices or their homes.
A VPN's purpose is providing a secure and reliable private connection

between computer networks over an existing public network, typically the
internet. To summarize, a wel卜designed VPN provides a business with the
following benefits：
■ Extended connections across multiple geographic locations without

using a leased line
■ Improved security for exchanging data
■ Flexibility for remote offices and employees to use the business intranet
over an existing Internet connection as if they're directly connected to
the network
謹 Savings in time and expense for employees to commute if they work

from virtual workplaces
■ Improved productivity for remote employees
A business might not require all these benefits from its VPN, but it should
demand the following essential VPN features：
■ Security -The VPN should protect data while it's traveling on the public
network. If intruders attempt to capture the data, they should be
unable to read or use it,
■ Reliability -Employees and remote offices should be able to connect to

the VPN with no trouble at any time (unless hours are restricted), and
the VPN should provide the same quality of connection for each user
even when it is handling its maximum number of simultaneous
connections.
■ Scalability -As a business grows, it should be able to extend its VPN

services to handle that growth without replacing the VPN technology
altogether.
Bluetooth The art of connecting nodes in a network is becoming more and more
complex every day. One exciting possibility is Bluetooth, that can streamline
the networking procedure. A Bluetooth connection is wireless
and automatic, and it has a number of interesting features that can
simplify lives. Bluetooth was conceived initially by Ericsson, before
being adopted by a countlessnumber of other companies around the
world.
Bluetooth is a wireless technology that allows computers, phones and
■Iroduction to Networking
other devices to talk to each other over short distances (up to 100
metres). Bluetooth uses radio waves and is designed to be a secure
and inexpensive way of connecting and exchanging information
between devices without wires. Because the devices use a radio
(broadcast) communications system, they do not have to be in visual
line of sight of each other.
Bluetooth exists in many products and devices, such as headsets,

modems, cell phones, watches, computers and computing equipment.
The technology is useful when transferring information between two
or more devices that are near each other in low-bandwidth situations.
Bluetooth is commonly used to transfer sound data with telephones
(i.e., with a Bluetooth headset) or byte data with hand-held
computers (transferring files). Ringtones and songs can also be
exchanged between mobile phones if both are bluetooth enabled.
Networking Issues With changing business settings and extreme dependence of firms on
networks it has become imperative for businesses to ensure that
there is no downtime. Downtime or outage duration refers to a
period of time that a system is unavailable and fails to provide or
perform its primary services and functions.Downtime can be caused
by failure in hardware (physical equipment), software (logic
controlling equipment), interconnect equipment (such as cables,
facilities, routers), wireless transmis*" (wireless, microwave, satellite),
and/or capacity (system limits). Spc:' attention and huge investments
are required to ensure that network services are always available.
However, regardless of size or number employees, every company
experiences networking problems at time or other. There are some
very common problems that can pr themselves in any environment
that utilizes a networked s Anticipating the most common problems
ahead of time and working avoid them is the best way to reduce
delays and ensure a smooth networking experience.
One problem that may arise is the issue of a duplicate IP addr(

address is the address that the network uses to identify a s
computer. Every PC - and laptop - possesses a unique IP addresv
sometimes two will receive the same one as the result of an error,
this happens, communications problems arise and the
administrator or network engineer will need to change the a one
of the computer terminals in order to fix the problem qu easily.
ConuecVwWv \ssues ave among \he mos\ common

piob\ems brought to the systems department of a
company. This can be a number of things, including
configuration changes or the connectivity devices, such as in
the case of a switch, router« same spirit, there are
sometimes problems with the physical
connect various types of computerized equipment. Sometimes these physical

connections become broken, severed or simply short out. In the case of an
electrical short, signals may get disturbed or rerouted, causing networking
and/or other electrical problems.
Software problems can be the cause of networking problems as well. When all

of the physical possibilities have been eliminated, software malfunctions are a
possiblity. A variety of configuration problems may be at the root of the
situation, such as those of the WINS or DNS variety. Registry problems may
also cause a networking issue, as well as a number of other software-related
possibilities.
If the network connectivity is unusually slow, this may be a sign of excessive

network collisions. This is sometimes the result of a network thafs been poorly
planned or mapped out, or of a user transferring an inordinate amount of
information at one time, which floods the network. Slow connections and slow
data transfers may hamper the business performance and must be addressed
quickly by professionals.
Summary Computing power and potential can be harnessed much better if computers and
computing equipment are connected to allow sharing of data. An
interconnection of computers is called a computer network or simply a
network. Networks are important to all contemporary organizations because
they provide faster, easier access to any message or data that can be
represented and stored in digital format.
In many modern organizations, large distances separate coworkers, and data

sharing becomes a significant logistical problem in the absence of a network.
There are advantages of increased connections in a network, according to
Metcalfe's Law, the value of a network increasing exponentially with the
number of nodes.
In addition to computers, it is common to find other devices in a network,

including routers, bridges, hubs, switches, etc. Distinguishing factors of these
devices are the level of device intelligence, security and
Communication across networks is carried on a medium which provides the

channel over which the message travels from source to destination. Common
media are metallic wires within cables, fiber optic cables and
Computers are obviously not inter-connected without a mechanism but follow

a format and structural rules. The methods of physical interconnection are
called network topologies. Network topologies are categorized into the
following basic types： Bus, Ring, Star, Mesh, etc. More complex networks can
be built as hybrids of two or more of these basic
Networks are used on the basis of their scale and scope, preferences for
networking industries, and their design and implementation issues. LAN
and WAN are mostly known and used widely. A local area network (LAN) is a
computer network that connects computers and devices in a limited
geographical area such as a computer laboratory or office building. A wide
area network (WAN) is a telecommunications network, usually used for
connecting computers, that spans a wide geographical area.
Innovations of all kinds are being proposed to enhance networking

applications, and sharing Internet connections through networks is quickly
becoming one of the key advantages of networking. New developments
include maturity and increased use of VoIP, virtual private networks,
broadband services, etc.
Networking with all its benefits is not free of problems and challenges and
these challenges must be effectively confronted. Some networking issues
include how to keep the downtime / unavailability to a minimum, how to
manage security issues such as hacking, threats of virus attacks, etc.
Solutions to these problems lie in the use of technolgies such asencryption,
firewalls, etc.and in investment in policy making and training.
Reference http://www.support.com/computer-networking/internet/wireless/router Links

http://www.techsoup.org/learningcenter/networks/page4774.cfm
http://compnetworking.about.eom/od/networkdesign/a/topologies.htm
http://www.networkwirelesssolutions.com/future_trends.htm
http://www.wifihelps.com/advantages.php http://www.techbuzz.in/disadvantages-of-wi-fi.php
http://computer.howstuffworks.com/vpn.htm

Part 5: Technology Based
distribution channels/
Networks Financial Industry
In this part Phone Banking/Calling Center
Mobile Banking
Internet Banking
ATM
POS
Part Five
Technology Based distribution
channels/Networks in Financial
Industry
By the end of this chapter you should be able to：

Student Learning ■ Describe how Phone Banking/Call centers are operated
Outcome
■ Differentiate between IVR and agent based call centers
■ List the common issues encountered in day to day operations of a
call center
■ Define the term 'down time'
■ List the services being offered via phone banking both internationally
and locally
■ Describe the recent developments pertaining to call center
operations in Pakistan
■ Define mobile banking
■ Describe how mobile banking operates
■ List the common issues of mobile banking
■ Define the term 'down time' and explain its impact on the ove
mobile banking service
_ List the recent developments pertaining to mobile banking in Pa「*
■ List the services being offered via mobile banking both internati and
locally
■ Discuss the working methodology of mobile banking
• Recall the SBP regulation that applies to mobile banking _ Explain
the concept behind Internet banking
■ Discuss the working methodology of internet banking
■ List the common issues encountered in internet banking

■ Define the term 'down time7 and explain its impact on the overall internet
banking service
_ List the recent developments pertaining to internet banking in Pakistan
■ Define the term ATM
_ Describe how ATMs operate
■ List the common issues encountered in ATM operations
_ Define the term 'down time' and explain its impact on the overall ATM
service
■ List the recent developments pertaining to ATM services in Pakistan
■ List the services being offered via ATMs both internationally and locally
■ Define POS
■ List the common issues encountered in POS operations
_ Define the term 'down time' and explain its impact on the overall
POS service
■ Describe how mobile banking operates
■ List the common issues of mobile banking
_ Define the term 'down time' and explain its impact on the overall mobile
banking service
■ List the recent developments pertaining to mobile banking in Pakistan
■ List the services being offered via mobile banking both internationally and
locally
鼸 List the recent developments pertaining to POS operations in Pakistan
■ List the services being offered via POS terminals both internationally and
locally
■ Discuss the working methodology of a POS connection/terminal

With the recent advancements in information and communication
technologies, most notably the ubiquity of the Internet, organizatior
especially the banks and financial institutions have adopted non-traditional,
technology-based channels to market their products and services and reach
their customers. Adoption of these new channels has j increased the reach
and richness of information sharing and quality of services. These new
channels are independent of time and distance restrictions making them
even more useful and valuable for organizations. The net result is the
popularity of branchless banking.
Based distribution channels/Networks in Financial Industry 126

Branchless banking is a distribution channel strategy used for deliverinf
financial services without relying on bank branches. While the strategy may
complement an existing bank branch network for giving customers a
broader range of channels through which they can access financial services,
branchless banking can also be used as a separate channd strategy that
entirely forgoes bank branches.
Examples of branchless banking technologies are the Internet, automate

teller machines (ATMs), POS devices and mobile phones etc. Each of these!
technologies serve to deliver a set of banking services and are part oil
distribution channels that may be used either separately or in conjunction! to
form the overall distribution channel strategy.
Branchless banking comprises essentially of the following elements：
_ Use of technology, such as payment cards or mobile phones, identify

customers and record transactions electronically and, some cases, to
allow customers to initiate transactions remotely
■ Use of (exclusive or nonexclusive) third-party outlets, such as offices

and small retailers, that act as agents for financial ser providers and
that enable customers to perform functions require their physical
presence, such as cash handling and custc due diligence for
account opening.
■ Offer of at least basic cash deposit and withdrawal in addition l

transactional or payment services
■ Backing of a government-recognized, deposit-taking institution, as

a formally licensed bank
■ Structuring of the above so that customers can use these bar

services on a regular basis and without needing to go to branches
at all, if that's what they choose.
The key to success is not solely technological innovation, but integrity.

For branchless banking to work, it must be transparent trusted by the
customer - whatever the model adopted. This reqti well thought-out
regulatory system & framework that offers protc for customers and
providers alike. The fierce debate about the r merits of bank led against
telecommunication (Telco)-led mobile services revolves around issues of
accessibility, security and cus protection.
Branchless banking is growing rapidly in Pakistan because it is more
customers friendly and easy to use. Giving customers a broader range
of channels through which they can access financial services like Bill
Payment and Money Transfer, and customers can open their own
mobile accounts.
Salient Features The State Bank of Pakistan has issued Branchless Banking (BB) of SBP
Branchless Regulations, which is applicable to all banks including Islamic and Banking
Regulations Microfinance banks with a view to encouraging innovation and increasing
outreach of the banking system. The SBP branchless banking
regulations were last amended in June 2011•
(http://www.sbp.org.pk/bprd/2011/C9-Enclosure-2.pdf)

The objectives of these Regulations are to define Branchless Banking
activities as a new delivery channel to offer banking services in a cost
effective manner； to broadly outline activities which constitute BB
and to provide a framework for offering BB services and to serve as a
set of minimum standards of data & network security, customer
protection and risk management to be followed by the banks
desirous to offer mobile banking services.
According to these regulations, only authorized Financial Institutions

(FIs) can provide Branchless Banking services. Permissible BB models
and activities have also been outlined together with the list of
possible services that may be offered.
As per these regulations, the ultimate responsibility for branchless

banking lies with the FI. FI may, however, take steps it deems
necessary to safeguard itself against liabilities arising out of the
actions of its agents, service providers or partners.
These regulations also deal with consumer protection and consumer

awareness. Appropriate customer protection against risks of fraud,
loss of privacy and even loss of service is needed for establishing trust
among consumers as trust and customer confidence is the single
most necessary ingredient for growth of BB. As banks will be dealing
with a large number of first-time customers with low financial literacy
level, they need to ensure that adequate measures for customer
protection, awareness and dispute resolution are in place.
Likewise, customer awareness is a key defense against fraud and

identity theft and security breach. Customer awareness program
should cover, at minimum, usage of Branchless-Banking account,
account activities and protection against fraud, SIM/account blocking
procedures in case of mobile is lost / snatched.
Some salient features of these regulations as quoted from the SBP's

Branchless Banking Regulations (Updated on June 20, 2011) are as
under：

Permissible Only bank-led model of branchless banking is allowed which may be Branchless
Banking implemented in different ways. Firstly, it can be implemented either by Models using
agency arrangements or by creating a joint venture between Bank and Telco/non-bank. Further,
the mobile phone banking which make up for large part of branchless banking can be
implemented by using one-to-one, one-to-many and many-to-many models.
One-to-one Model: In this model one bank offers mobile phone

banking services in collaboration with a specific Telco. As a
consequence, the services may only be offered to customers using
mobile connection of that specific Telco. This model can be JV-based
or implemented through specific agency agreements between the
Telco and the bank. It offers greater customization, good service
standards, possibility of co-branding and co-marketing. On the other
hand, it lacks in outreach as it is limited to the customers of one Telco
only.
One-to-many Model: In this model a bank offers mobile phone

banking services to customers using mobile connection of any Telcos.
This model| offers the possibility to reach to any bankable customer
who has a mob phone connection.
Many-to-many Model: In this model many banks and many telcos

hands to offer services to virtually all bankable customers. Under
system, a Third Party Service Provider (TPSP) is necessitated, which
be controlled by an FI； or by a subsidiary owned and controlled
by an H< a group of FIs； or by a third party under proper agency
agreement Financial Institutions.
Branchless banking can also be done using agents other than Telcos'
Fuel distribution companies, Pakistan Post, chain stores etc.) and
technologies not limited to mobile phone (like GPRS, POS terminals i
Permissible Branchless Opening and maintaining a BB Account： A BB account can be

Banking Activities openesii
operated by a customer with a bank through the use of BB cha— Banks may associate such
account to a particular branch or centralized branchless banking unit. Account capabilities/limits
j commensurate with the level of customer due diligence (CDD) procedures the customer has
undergone.
Account-to-account Fund Transfer: Customers can transfer

to/from their BB account from/to their other pre-registeredy
accounts (current/saving bank accounts, loan limit accounts, ere
accounts etc.)
Account-to-person Fund Transfer： Customers can

transfer their BB account to other non-BB accountholders.
The transa and KYC requirements apply.
Person-to-person Fund Transfer： Any person without a

BB also transfer funds to any other non BB accountholder.
The limits and KYC requirements apply.
m Information Technology in Financial Services

Cash-in and Cash-out: Customers can deposit and withdraw funds
to/from their BB account using a variety of options including bank-
branch counters, ATM machines and authorized agent locations.
Bill Payments： A BB account can also be used to pay utility bills

(e.g. Gas, Electricity, Phone etc.) However, the amount of payment of
utility bills shall not be counted as part of existing transaction limits
allowed to BB accountholders.
Merchant Payments: Customers can use a BB account to make

payments for purchases of goods and/or services.
Loan Disbursement/Repayment: FIs, particularly MFBs may use BB

accounts as a means to disburse loan amounts to their borrowers
having BB accounts. The same accounts may be used by customers to
repay their loan installments.
Remittances: BB accounts may be used to send / receive remittances

subject to existing regulations.
echnology Based distribution channels/Networks in Financial Industry 130

Call Center / Phone Banking
Phone banking is a service provided by a financial institution, which

allows its customers to perform transactions over the phone.
Most telephone banking services use an automated phone answering

system with phone keypad response or voice recognition capability. To
guarantee security, the customer must first authenticate through a
password or through security questions asked by a live representative.
With the exception of cash withdrawals and deposits, phone banking
offers virtually all the features of an automated teller machine： account
balance information and list of latest transactions, electronic bill
payments, funds transfers between a customer's accounts etc.
Usually, customers can also speak to a live representative located in a

call centre or a branch, although this feature is not always guaranteed
to be offered 24/7. In addition to the self-service transactions,
telephone banking representatives can also fulfill customers' requests
regarding loan applications, cheque book orders, debit card
replacements, change of address, etc.
Banks which operate mostly or exclusively by telephone are known as

phone banks. Mostly however, phone banking is an additional channel*
customer contact offered through call centers.
Phone banking requires a call center which is a centralized location

for the purpose of receiving and transmitting a large volume of requ
by telephone. A call center may be operated by a company to
admin.: incoming product support or information inquiries from
bank consu— Outgoing calls for telemarketing, product services,
and debt collection also be made.
Some variations of call centre models are listed below based on pu
■ Contact centre - A contact centre, also known as customer

inter centre is a central point of any organization from which
all cus contacts are managed. Through contact centers,
valuable inforn about company is routed to appropriate
people, contacts to tracked and data to be gathered. It is
generally a part of com； customer relationship management
(CRM). Today, customers c companies by calling, emailing,
chatting online, visiting w faxing, and even instant messaging.
■ Inbound call centre - Exclusively or predominantly handles i

calls (calls initiated by the customer).
■ Outbound call centre - One in which call centre agents

outbound calls to customers or sales leads. Can also be used
far recovery functions.

■ Blended call centre - Combining automatic call distribution for
incoming calls with predictive dialing for outbound calls, it makes
more efficient use of agent time as each type of agent (inbound or
outbound) can handle the overflow of the other. This also allows
for efficient resource and infrastructure utilization.
A call center can be independently operated or networked with

additional centers, often linked to a corporate computer network,
including mainframes, microcomputers and LANs. Increasinglyパhe voice
and data pathways into the center are linked through a set of new
technologies called computer telephony integration (CTI).
Computer Telephony Integration is a set of technologies for integrating

and managing computers and telephone systems. CTI enables the
telephone system to display information via the computer. A user with a
CTI-enabled computer will be able to dial the telephone, answer the
telephone, and hang-up the telephone, all from their computers. Call
Telephony Integration enables users to dial the phone from address
books stored on their computer. A CTI-enabled computer will also
display information from the telephone system, such as Caller-ID.
Today most major businesses use call centers to interact with their
customers. Examples include banks and financial firms, utility companies,
mail order catalogue retailers, manufacturers and retailers of consumer
products etc. Some businesses even service internal functions through
call centers. Example of this includes help desks for technology-related
in-house matters and support.
Interactive voice Interactive voice response (IVR) is a technology that allows a computer
response - IVR to interact with humans through the use of voice and telephone keypad
inputs. IVR allows customers to interact with a company's database via a
telephone keypad or by speech recognition, after which they can service
their own inquiries by following the IVR dialogue. IVR systems can
respond with prerecorded or dynamically generated audio to further
direct users on how to proceed.
Interactive Voice Response technology is primarily used to automate
customer centric business processes and relieve the pressure on human
agents handling incoming consumer calls.
IVR systems automate inbound call processing by retrieving information

according to the caller's requirements from enterprise databases that
are connected to the IVR systems. The IVR system contains hardware
and server software that can analyze touch-tone inputs and perform
signal processing for speech inputs to fulfill caller's requirements.
Based on the information entered or spoken by the caller, the IVR

system allows the caller to perform self-service and access the required
data (e.g. a caller may wish to know the balance in his bank account), or
routes the caller to a particular agent group in the call center equipped
to handle such call requests. IVR technology is widely considered to be
the most prevalent technology in call centers next to Automatic Call
Distribution (ACD) technology. In computer telephony, an ACD is a
system that
Based distribution channels/Networks in Financial Industry

automatically distributes phone calls to a specific group of agent work stations. Such
systems are the backbone of any call center.
IVR technology has four primary functions in the call center of

contemporary organization, or an outsourced call center for that
matter
■ It routes the calls to the appropriate person or department based

an touch-tone or speech inputs made by the caller. For example,
cal desirous of getting home loan information will be patched
throug specific group of agents. Skills-based routing (SBR) is
caH-assignment strategy to assign incoming calls to the most
suit agent, instead of simply choosing the next available agent.
The for skills-based routing has arisen, as call centers now deal
wider variety of call types.
■ It identifies and authenticates the caller and subsequently

pops the information on the screen of the agent who will be
handlii call using Computer-Telephony Integration (CTI) links,
information is retrieved from the database connected to
system. Example of this is the personal and account
information account holder in a bank.
• It allows for segmentation and differentiation of the callers

the nature of relationship of the calling party with the entity.
This allows for premium service in call handling, valuable
account holders may be handled by specially trained with
more flexibility and authority.
■ It provides an alternate experience for the caller for self

without having to talk to a human agent.
\rtovrna\\on lechno\ogy 'n Financial Services 1 R

IVR is a key and preferred technology in most call centers in order to
reduce costs for a variety of reasons, some of which are outlined
below：
■ It automates customer interactions with the enterprise databases,

thus reducing live agent costs
■ It filters the inbound call traffic and smoothes the peaks and
troughs in the call center queue, thus adding a degree of
predictability to call volume modeling.
■ Advancements in speech technology increase the customer

friendliness of the underlying IVR system, thus increasing
customer satisfaction and customer retention in tough economic
times.
Call centers in banks and other contemporary organizations stand to

gain much in the effective usage of IVR for their customer service
operations, not just to reduce costs but also to increase customer
satisfaction and customer retention Similarly, Call Center Outsourcing
companies today without exception include the IVR technology in
their offerings and operations. It is through such personalized services
that they achieve ace quality of client servicing standards and help
their clients improve their market base.
Clients who have come across the IVR at the banks' call centers have
some concerns regarding the sound quality, the content and the style
in which the queries are dealt with. As useful as this service sounds
the more important it is to keep the following points in mind while
using this technology.
■ Avoid long menus. It is suggested to have not more than four to
five items on the menu. This helps the client to remember the
commands for each option and also saves time.
■ Use a script that explains well and does not deliver more than
required information i.e. it is not unnecessary verbose.
■ Ensure to use best quality software and professional help. A

professional voice recorded in a studio and upload with the best
software helps the client clearly understand the instructions.
Unfortunately most instructional voices are unprofessionally
recorded with a lot of noise.
Call Center Banks' call centers are at the front line of customer service. While
problems increasing the automation of a call center theoretically
improves efficiency, it can also increase the attrition rate of
employees. Automated technology is typically designed to allow call
center agents to handle more calls in an hour by reducing the
amount of time spent on the phone with each client and reducing the
amount of idle time between each call. This, however, can increase
the stress levels. In short many things can stand in the way of
optimum service provision. Some obvious problems faced by call
echnology Based distribution channels/Networks in Financial Industry 134

centers facilitating phone banking are presented below：
1. Agent absenteeism
According to benchmarking firm Dimension Data (www.dimensiondata.com), the
average annual absence rate in call centers across the globe is more than 11%.
To the layperson, this might not seem particularly high. But the harsh reality is
that a 100-seat call centre with 11% absenteeism will only have an average of 89
seats occupied at any one time. Since there are fewer staff available to handle
customer interactions, wait queues tend to increase and agents are put under
pressure to spend less time on each call. Over extended periods of time,
absenteeism can impact on staff morale and may even foster similar behavior in
remaining staff.
2. Staff attrition
High staff turnover can negatively impact on call centre quality because every
time a trained agent leaves, fewer are on hand to ensure an optimum level of
service. In addition to this, there are heavy costs associated with recruiting, hiring,
training and developing new staff - not to mention the costs associated with the
dip in productivity that is inevitable as new recruits climb on the learning curve.
3. Flat structures
Call centers are inherently flat structured. Few supervisors (or just one at times)
overseeing sometimes hundreds of agents of equal status. Consequently, career
prospects are often limited - a situation that has becomes more acute in periods
of the recession. Banks risk losing their best people to competitors if they fail to
provide adequate career opportunities. Talented staff might also become de
motivated when no future growth is in sight.
4. Mandatory cost-cutting
Tight budgets have been a continuing problem for call centers, primarilf j due to
the high costs associated with establishing, managing and sta them. The issue
gets severe in years of global recession. In many ca: senior executives no longer
regard call centre efficiency savings optional； instead, they are demanding them
as standard.
5. Poor first-ca丨トresolution rates

Customers want to have their issue resolved in one contact. First- resolution
(FCR) is widely regarded as the single most important feat for achieving
customer satisfaction in the call centre. However, as tc customers tend to ring
with increasingly complex queries, it isn't al possible to provide an immediate
answer. If callers end up having I speak to several agents regarding a single
enquiry, the custc experience becomes diluted and satisfaction levels plunge.
6. Poor integration
Today's call centers are flooded with software, ranging from pr« dialers, CRM
databases and workforce management tools through to: order processing
platforms, credit card security applications automated voice response systems.
Call centre agents can be with more than ten different software systems. Each
applicat designed to perform a specific task. Agents often find it tricky to ta maze
of different systems which has detrimental effects on their
one hand, and on the other create compatibility and interoperability
issues. Moreover, technologies are interconnected and interdependent
and failure of one in the chain may render others inoperative.
Information Technology in Financial Services | Refe

7. The proliferation of communication technologies
Today consumers don't just use the phone or white mail
(correspondence received from customers in their own envelope
rather than in an envelope provided by the marketer. White mail
generally contains address-change requests, complaints, inquiries etc.)
To get their message across, they make themselves heard through
email, text and infinite social media channels such as Facebook and
Twitter. Because consumers are using these mediums to communicate
in their personal lives, it is inevitable that they now expect to be able
to conduct their business interactions in the same way. The problem,
of course, is that call centers struggle to keep up. They have
difficulties identifying which channels they should focus on and often
don't have the capabilities available to manage the different channels
effectively.
Downtime Call centers can't afford downtime, i.e. the duration during which their
services are not available. Downtime can cause substantial immediate
and direct financial losses to business in addition to lost opportunities
and unsatisfied customers. Because of the customer-facing nature of
contact centers, downtime may result in extensive lost revenue and
potentially more damaging, the loss of customers to rivals.
Downtimes may be planned or unplanned. Planned downtimes are

necessary for up gradation and maintenance activities and can be
scheduled for non-peak hours. Consequently they cause less damage
if announced to customers days or weeks in advance. Unplanned
downtimes are almost always the result of accidents and disasters and
are uncontrollable and unpredictable. However call centers generally
have disaster recovery and business continuity plans to mitigate the
impact of accidents and disasters.
Virtual Queuing Call centre technology has evolved tremendously over the last decade.
Some of these technologies include speech recognition software to
allow computers to handle first level of customer support, text mining
and natural language processing to allow better customer handling
and many other technologies to improve agent productivity and
customer satisfaction. One such innovative concept is that of Virtual
queues. Virtual queues provides ca、、ers with an alternative to waiting
on hold when no agents are available to handle inbound call.
Call centers generally use an Automatic Call Distributor (ACD) to

distribute incoming calls to agents in the center. ACDs hold queued
calls in First-In-First-Out order until agents become available. From
the caller's perspective, without virtual queuing they have only two
choices： wait until an agent resource becomes available, or abandon
call (hang up) and try again later. From the call center's perspective, a
long queue results in many abandoned calls, repeat attempts, and
customer dissatisfaction.
Based distribution channels/Networks in Financial Industry

Latest technology based Virtual queuing systems allow customers to receive callbacks
instead of waiting in an ACD queue. Customers who opt for a callback are prompted to
enter their phone number and then hang up the phone. A "virtual placeholder" maintains
the customers' position in the queue. Customer receives a call upon his turn.
Virtual queuing impacts the call center performance in many ways. Queue time
is normally measured as Average Speed-to-Answer (ASA), callers are When
offered the option to receive a callback, the callers' accepts rates are ptancr
typically 45% to 55%. Therefore, about half of the calls would normally Is tfufti queue
for 5 to 10 minutes will now only accrue speed-to-answer (ASA) of
approximately 10 seconds. Since callers canrx*| abandon while in a virtual queue, the
overall number of abandoned will decrease. All in all virtual queuing can result in better
custor experiences and improved contact center operations.
Virtual Call Centers With the advent of the Software as a service (SaaS) technology delix model, the
virtual call centers have emerged. In a virtual call ce model, the call centers operator (i.e.
the client bank/organization) < not own, operate or host the equipment that the call
centre runs Instead, they subscribe to a service for a monthly or annual fee service
provider that hosts the call centre telephony equipment in own data centers. Such a
vendor may host many call centers on equipment. Agents (on client organization's payroll)
connect to: vendor's equipment through traditional PSTN (public switched tek network)
lines, or over Voice over IP. Calls to and from prosf contacts originate from or terminate
at the vendor's data centre, than at the call centre operator's premises. The vendor's te
equipment then connects the calls to the call centre operator's The obvious advantage of
this latest technology-backed develc substantial savings achieved by banks as they do not
have to investi development and maintenance of datacenters. This trend is an of
outsourcing.
Call Centers in Call centers began to emerge in Pakistan in late 90s with reasons and
Pakistan foreign investments made in this area after ventures in net India met huge
successes. Many Pakistanis are able to understand with reasonable ease and can
speak the language in a compre accent which is a huge advantage over people of
other countries| region. Jobs were created and latest technology found its way I
country. While there were isolated success stories, the overall affairs was more hype
than concrete reality. The reasons why call as outsourcing model was not a huge
success were many rar the global recession to in-house inconsistencies in
government; lack of investors expertise and ability to sustain till critical achieved. Not
so great communications technology infrastri political instability also played their
roles.
Despite only mediocre success to call center outsourcing multinational and large
(even mid-sized) companies in Paki: successfully created their in-house self managed
call cente companies include local and foreign banks, FMCGs, mot companies and
utility services providers etc.

Mobile Banking
The advent of the Internet revolutionized the way the financial service industry conducted
their businesses. They empowered organizations with new business models and new ways
to offer non-stop accessibility to their customers. The ability to offer financial transactions
online has also created new players in the financial services industry, such as online banks,
online brokers and wealth managers who offer personalized services. Mobile devices,
especially smart phones, are the most promising way to reach the masses and to create
"stickiness" (hook customers by ensuring excellent services and periodic updates) among
current customers, due to their ability to provide services anytime, anywhere, their high
rate of penetration and potential to grow has made them a dominating force in the world
of e-banking.
Financial institutions have been on a quest to satisfy their customers' need for more and
more convenience. Internet banking in the mid-1990s enabled consumers to access their
financial accounts using a home computer with an Internet connection. Yet banking at the
living room computer still has some serious limitations. The biggest issue is mobility. Even
with a laptop, it's almost impossible to stay connected in virtually any location on the
planet.
Not so with mobile phones. They can be carried anywhere. If mobile phones only
delivered voice data, then their use as a vehicle to deliver banking services would be
limited. Most phones, however, also provide text-messaging capabilities, and a growing
number are Web-enabled. That makes the mobile phone an 丨deal medium through
which banks can deliver a wide variety of services.
Mobile Banking (also known as M-Banking, mbanking, SMS Banking) refers to provision
and availability of banking and financial services with the help of mobile
telecommunication devices even when users are miles away from their nearest branch or
home computer. The scope of offered services may include facilities to conduct bank and
stock market transactions, to administer accounts and to access customized information.
Through mobile banking, one can check account balances, complete account transactions,
make payments on time etc. via a mobile device such as a mobile phone. Most customers
use mobile banking through SMS or the mobile lntemet._Some financial institutions take
up another method to provide mobile banking to their customers. They make customers
download special software on their mobile phones which acts as client for the mobile
banking services.
For consumers, mobile banking is about convenience： the ability to check account
balances, pay bills and transfer funds from a device they take with them everywhere. For
financial institutions, it is a means to deepen customer relationships, streamline,
operations and cut costs. Mobile banking is growing at a very fast pace and may soon
become the primary channel for banks to connect with their customers and vice versa.
The amount of banking possible on cell phone varies depending on the specific banking
institution. Some banks offer only the option of text alerts, which are messages sent to
cell phones that alert the customers regarding transactions and activities such as
deposits, withdrawals, and ATM or credit card use. This is the most basic type of mobile
banking.
A more involved type of mobile banking allows the user to log into his or her account
from a cell phone, and then use the phone to make payments, check balances, transfer
money between accounts, notify the bank of a lost or stolen credit card, stop payment
on a check, receive a new PIN, or view a monthly statement, among other transactions.
This type of banking is meant to be more convenient for the consumer than having to
physically go into a bank, log on from their home computer, or make a phone call.
While all of this is true, some are concerned about the] security of mobile banking.
SMS - Architecture Diagram

__ Sased distribution channels/Networks in Financial Industry
Banks classify mobile-phone services based on how information pull transaction is
one in which a mobile phone user actively service or information from the bank. For
example, inquiring account balance is a pull transaction. So is transferring funds,
payin§a or requesting a transaction history. Because banks must respond' some
action based on the user request, pull transactions are cc two-way exchanges.
A push transaction, on the other hand, is one in which the bank! information based
on a set of rules. A minimum balance alert is m example of a push transaction.
Similar alerts can be sent wheneven| is a debit transaction or a bill payment. As
these examples illust transactions are generally one way, from the bank to the custc
Mobile banking can also be classified based on the nature of the ： Transaction-
based services, such as a funds transfer or a bill involve movement of funds from
one source to another. Inqi services don't. They simply require a response to a user
querf < balance inquiry query.

Clearly, push transactions are not as complex as their pull counterparts. Mobile
banking solutions also vary in their degree of complexity, and some only offer a
fraction of the services generally found in a bricks-and-mortar branch. In this
respect, mobile banking isn't always full-service banking. The factors that affect this
are the type of phone being used, the service plan of the mobile subscriber and the
technology framework of the bank.
Advanced Mobile There are two approaches to setting up mobile banking.

Banking
Technologies
Wireless Application Protocol (WAP)
WAP is the technology architecture that makes accessing Internet pages possible
from a mobile phone. It includes the concepts of browsers, servers, URLs and
gateways.
WAP provides a user experience that echoes Internet banking conducted on a home
computer. This is an attractive feature to many banks, who also appreciate the fact
that customers don't have to download any proprietary software to enjoy robust
access to a full line of services and transactions.
WAP banking does have its disadvantages：

■ The browsers that run on mobile phones must work on a very small screen. As a
result, banks must create "mobile-friendly" sites that work more efficiently in
cramped quarters i.e. mobile phone screens. Even with such accommodations,
the number of clicks required to
■ WAP banking requires a smart phone or a PDA, but such devices represent
less than (perhaps only)10 percent of the phones in use Even if a customer has
a WAP-enabled phone, he or she can elect not to sign up for the more costly
data plans required for Internet access.
■ Mobile phones lack the level of anti-virus and personal firewall this d nn°W
COnSldered standard on PCs-

Research is underway in
i S n P 0SSib le CUSt 0m erS can

" _ t - a
Standalone Mobile Application
fo^ne banks are now providing a downloadable client that mobile

i Mn Ule t0 access bank services- These mobile applications a reliaê channel and enable users to
conduct even complex
rtaccofdingly ^ t0 CUStomize the interface
and brand
someisM^ pke,ty repr6SentS, the fut 服 mobile banking,

6 SOme lssues_ Fl「st' use「s 抓
forced to download, install and
in Financial Industry 140

learn a proprietary application. Not only that, the application must customized to
each mobile phone on which it will reside, gre increasing development costs. And
just like the mobile browsers usee WAP banking, these standalone applications are
vulnerable to att have limited availability and can only accommodate customer-
initia communication.
As a financial institution prepares for the mobile banking revolution. must weigh
the advantages and disadvantages of these various solu to decide which one best
meets the needs of its customers and its technology infrastructure
Bunt SMS
Service
Provider
SMS Mobile Banking Ap|><ications
The benefits of convenience are undeniable, but there are a number challenges &
disadvantages that mobile banking users should be a of. The technology's cost,
compatibility issues and security problems cause second thoughts. Key challenges
in developing a mobile banking application are：
Handset operability
There are a large number of different mobile phone devices and it is a challenge
for banks to offer mobile banking solution on any type device. Some of these
devices support Java ME and others support Application Toolkit, a WAP browser,
or only SMS.
Security
Security of financial transactions, being executed from some location and
transmission of financial information over the air, are

most complicated challenges that need to be addressed jointly by
mobile application developers, wireless network service providers and
the banks' IT departments.
The following aspects need to be addressed to offer a secure

infrastructure for financial transaction over wireless network：
1. Physical part of the hand-held device. If the bank is offering

smart-card based security, the physical security of the device is
more important.
2. Security of any thick-dient (full-featured devices that are

connected to a network) application running on the device. In
case the device is stolen, the hacker should require at least an
ID/Password to access the application.
3. Authentication of the device with service provider before initiating

a transaction. This would ensure that unauthorized devices are
not connected to perform financial transactions.
4. User ID / Password authentication of bank's customer.
5. Encryption of the data being transmitted over the air.
6. Encryption of the data that will be stored in device for later / off-
line analysis by the customer.
One-time passwords (OTPs) are the latest tool used by financial and
banking service providers in the fight against cyber fraud. Instead of
relying on traditional memorized passwords, OTPs are requested by
consumers each time they want to perform transactions using the
online or mobile banking interface. When the request is received the
password is sent to the consumer's phone via SMS. The password is
expired once it has been used or once its scheduled life-cyde has
expired.
Because of the concerns made explicit above, it is extremely

important that SMS gateway providers can provide a decent quality
of service for banks and financial institutions in regards to SMS
services. Therefore, the provision of service level agreements (SLAs) is
a requirement for this industry； it is necessary to give the bank
customer delivery guarantees of all messages, as well as
measurements on the speed of delivery, throughput, etc SLAs give
the service parameters in which a messaging solution is guaranteed
to perform.
Scalability fir Reliability

Another challenge for the banks is to scale-up the mobile banking
infrastructure to handle exponential growth of the customer base.
With mobile banking, the customer may be sitting in any part of the
world (true anytime, anywhere banking) and hence banks need to
ensure that the systems are up and running in a true 24 x 7 fashion.
As customers will find mobile banking more and more useful, their
expectations from the solution will increase. Banks unable to meet the
performance and reliability expectations may lose customer
"■re I Based distribution channels/Networks in Financial Industry 画

confidence.
Application distribution
Due to the nature of the connectivity between bank and its
customers, ft would be impractical to expect customers to regularly
visit banks or connect to a web site for regular upgrade of their
mobile banking application. It will be expected that the mobile
application itself check the upgrades and updates and download
necessary patches (so called "Over the Air" updates). However, there
could be many issues to implement this approach such as upgrade /
synchronization of other dependent components.
Mobile banking in Mobile banking is used in many parts of the world with little or nn
the world infrastructure, especially remote and rural areas. This aspect of mobile
banking is also popular in countries where most of the population s
unbanked. In most of these places, banks can only be found in big
cittes^ and customers have to travel hundreds of miles to the nearest
bank.
In Iran, banks such as Tejarat, Mellat and Bankmelli offer the servt
Banco Industrial provides the service in Guatemala. Citizens of Mexico
access mobile banking with Omnilife, Bancomer and MPower Ven
Kenya's Safaricom has the M-Pesa Service, which is mainly used
transfer limited amounts of money, but increasingly used to pay bills
as well. In Somalia, the many telecom companies provide m banking,
the most prominent being Hormuud Telecom.
Telenor Pakistan has also launched a mobile banking solution,"

coordination with Taameer Bank, under the label Easy Paisa, which
begun in Q4 2009. Eko India Financial Services, the bu '
correspondent of State Bank of India (SBI) and 丨GCI Bank, provides
accounts, deposit, and withdrawal and remittance services. Dutch-丨
Bank (www.dutchbanglabank.com) launches the very first
144
Automatic Teller Machines
An Automated Teller Machine (ATM) is a computerized

telecommunications device that provides the clients of a financial
institution with access to financial transactions in a public place without
the need for a cashier, human clerk or bank teller. ATMs are known by
various other names including Cash Point, automatic banking machine,
cash machine, and various regional variants derived from trademarks on
ATM systems held by particular banks.
Invented by IBM, the first ATM was introduced in December 1972 at

Lloyds Bank in the UK； however, some trial implementations had been
done in late 1960s. On most modern ATMs, the customer is identified by
inserting a plastic ATM card with a magnetic strip or a plastic smart card
with a chip that contains a unique card number and some security
information such as an expiration date or CVVC. (Card Verification Value
Code is used for credit or debit card transactions, providing increased
protection against credit card frauds). Authentication is provided by the
customer entering a personal identification number (PIN). Users may also
biometrically authenticate via their fingerprint, voiceprint, or iris scan.
Using an ATM, customers can access their bank accounts in order to

make cash withdrawals, credit card cash advances, check their account
balances and obtain mini-statements of last few transactions. In many
countries mobile phone airtime can also be purchased and payments
can be made for vending machine purchases.
Most ATMs are connected to interbank networks enabling people to

withdraw and deposit money from machines not belonging to the bank
where they have their account or in the country where their accounts are
held (enabling cash withdrawals in local currency). Examples of interbank
networks in Pakistan include One-link and Mnet.
An interbank network, also known as an ATM consortium or ATM

network, is a network that connects the ATMs of different banks and
permits these ATMs to interact with the ATM cards of non-native banks.
While interbank networks provide capabilities for all ATM cards within
the same network to use other banks' ATMs that belong to the same
network, the services vary. For instance, when a person uses his ATM
card at an ATM that does not belong to his bank, the basic services,
such as balance inquiries and withdrawals, are usually available. However,
special services, such as obtaining a mini-statement, may not be
available to ATM cardholders of banks other than the ATM cardholders
of the acquirer (the bank that owns the ATM). Furthermore, banks may
charge a fee from users of cards that do not come from their own bank
(in addition to any fees imposed by the bank of the card the person is
using). Interbank networks are convenient because people can access the
ATMs of other banks who are members of the network when their own
bank's ATM is unavailable.
145
ATMs rely on authorization of a financial transaction by the card
issuer or other authorizing institution via the communications
network. This is often performed through an ISO 8583 messaging
system.
A card-based transaction typically travels from an ATM, through a

series of networks, to a card issuing system for authorization against
the card holder's account. The transaction data contains information
derived from the card (e.g. the account number), the transaction
amount together with other data which may be generated
dynamically or added by intervening systems. The card issuing system
will either authorize or decline tt transaction and generate a response
message which must be delivers back to the terminal in a timely
manner. ISO 8583 defines a message format and a communication
protocol so that different systems can exchange these transactions.
ATMs typically connect directly to their host or ATM Controller (a

syster used in financial institutions to route financial transactions
between ATMs, core banking systems and other banks) via either
ADSL or dial-up moder over a telephone line or directly via a leased
line. Recently high-spee: Internet VPN connections are also becoming
more ubiquitous.
ATM Components An ATM is typically made up of the following hardware

components： CPU 丨 (to control the user interface and transaction
devices), magnetic andy or chip card reader (to identify the customer),
encrypting PIN pad (EPPJL! display, function key buttons (usually close
to the display) or a toudfci screen (used to select the various aspects
of the transaction), slip printer (to provide the customer with a record
of their transaction) and cash cartridges enclosed in vault.
ATM Security
Millions of ATM transactions are successfully carried out every day

an the world without problems or interference by criminals and frau
The ATM has been used safely for over four decades and has a
safety and service record throughout that period. However, there .一
been instances of burglary and fraud that has prompted banks to
necessary safety precautions.
1
^y Based distribution channels/Networks in Financial Industry
Identification of security risks and mitigation of them through a planned
mechanism is necessary to ensure that the ATMs are always available,
meaning that there is no downtime. Non availability of ATMs for any
reason can irritate customers decreasing their satisfaction level which
may ultimately result in customer loss.
Physical Security
Early ATM security focused on making the ATMs invulnerable to physical
attack； they were effectively safes with dispenser mechanisms. A
number of attacks on ATMs resulted, with thieves attempting to steal
entire ATMs by ram-raiding. Ram-raiding is a term used for situations in
which a van, car, or other heavy vehicle is driven through the ATM kiosk
to effectively demolish or uproot an entire ATM and any housing to steal
its cash.
A common method is to simply rob the staff filling the machine with
money. To avoid this, the schedule for filling them is kept secret, varying
and random. Additionally the money is often kept in cassettes, which will
dye the money if incorrectly opened.
Modern ATM physical security concentrates on denying the use of the

money inside the machine to a thief, by means of techniques such as the
use of dye packs. A dye pack is a radio-controlled incendiary device used
by some banks to foil a robbery by causing stolen cash to be
permanently marked with red dye shortly after the robbery. A similar
method is in which a container containing acid is placed next to the
ATM's cash cartridge and in case of a shock to the ATM, the acid falls on
cash to destroy/burn it.
Technical Security & Threats

The ATM technical environment is changing. And that change has serious
ramifications for the security of ATMs. Many financial institutions today
are in the process of moving their ATMs from proprietary dial-up
networks to TCP/IP networks. This entails moving the ATM from what is
generally considered a "closed," dedicated, and relatively secure network
to what is considered a more open, unrestricted, and, in some cases, less
secure network.
At the same time, the operating system on which the ATM is based is
changing. ATMs have begun migrating from the obsolescence of IBM
OS/2 to Microsoft Windows to gain business value. But with the move to
the Windows platform comes increased exposure to known and unknown
security threats.
The operating system has also changed from a relatively secure, low-
visibility, low-target profile to an operating system that has relatively
higher visibility, a relatively higher vulnerability level, and a higher target
profile.
This combination - a change in communication pathways and a change

in operating systems - has increased the overall security exposure of the
ATM. Eliminating this increased exposure is complex and costly.
All communications traffic between the ATM and the Transaction
Processors needs to be encrypted via methods such as SSL. The Secure
Socket Layer, SSL for short, is a protocol by which many services thair
Technology Based distribution channels/Networks in Financial Industry 147

communicate over the Internet can do so in a secure fashion.
SSL uses a cryptographic system that uses two keys to encrypt data - a
public key known to everyone and a private or secret key known only to
the recipient of the message. Any application that needs to transmit data
over an unsecured network such as the Internet or a company intranet r
a potential candidate for SSL. SSL encrypts the data being transmitted s»
that a third party cannot "eavesdrop" on the transmission and view the
data being transmitted.
ATMs can be a potential target of viruses and other malicious software

that steal confidential information of ATM users to steal money from
the* accounts. Scammers-fraudsters install skimming devices on or to the
ATKLj Such devices capture customer account information. The
information stored on these rtskimming〃 devices can be downloaded
and be used make counterfeit cards which enable the scammers to gain
access to customer's banks account.
ATMs in Pakistan
Automated Teller Machine (ATM) usage is expanding fast in Pakisi

According to SBP's Payment Systems Quarterly Review (Oct-Dec 201
172 ATMs were added to the eBanking infrastructure bringing the nu
of ATMs in the country to the highest ever level of 4,734 while 309
bank branches have been upgraded to Real time online branches
(RTOB Now 7,036 bank branches are offering Real-time online banking
out total 9,483 bank branches existing in Pakistan. The number of pi
cards (i.e. ATM, Debit and Credit Cards) has also increased by 19.21
compared to the previous quarter. At the quarter end (Oct-Dec 2010
there were 13.19 million plastic cards in circulation.
According to the same report, the volume and value of overall eBan"
transactions in the country during the said quarter reached 56.42 mil and
Rs 5.5 trillion respectively showing an increase of 7.30% in voi and 17.47
% in value compared to the previous quarter. ATM, being largest channel
for eBanking transactions, .showed 5.6% increase ' number of
transactions and 9.5% increase in value which resulted ' average value of
Rs.8, 804 per ATM transaction. Very significant incre was also recorded in
transactions related to Real time online bran (RTOB).The number of such
transactions grew by 10.59 % and value transactions increased by
17.97%.
(http://www.sbp.org.pk/psd/reports/2010/Status_Report_Q_2-12-l
The Internet Banking
An Internet bank is the modern alternative to the traditional bricks-and-

mortar (physically existing) banks. An Internet bank is not necessarily the
same as an online banking facility of an established bank. With an online
banking facility of a traditional bank, most of the banking transactions
are still done in the actual bank and only few banking functions are
supported online. For the most part, the website of a traditional bank is
just an extension of the actual bank. The transactions are limited and
require the approval of the traditional bank. In this section both
situations are discussed； when a bank is pure Internet-based and when

online facilities are provided as an additional channel in addition to
physically available services.
A pure Internet bank exists entirely online. These are legitimate banks
(i.e. approved by country's laws and central banks) and all transactions
are done over the Internet. Internet banks basically give all the services
of a traditional bank except that they don't have the physical structure
of a bank.
A pure Internet bank has two main selling points： convenience and free
banking services or higher interest rates.
An Internet bank is more convenient mainly because it's online. It's

always open. Account holders can go to their website anytime whenever
they want to check their accounts or pay bills. It is very accessible and
can be reached from anywhere as long as a computer and an Internet
connection are available.
An Internet bank is cheaper to operate because it doesn't have offices

and employees to maintain. They're able to pass on these saving to their
clients by offering free services or higher interest rates (high-yield
checking accounts) than traditional banks. Some Internet banks attract
clients by offering high-interest rates, as much as twice the rate a
traditional bank would give.
Another great thing about Internet banking is that clients have more
control over their money. Most Internet banks allow to customize
accounts and to maintain multiple accounts. Internet banks also provide
budgeting and money management tools. And because they're always
open and always online, they are able to provide up-to-date account
information.
Unfortunately, there are still some things that pure Internet banks cannot
"do. Cash cannot be deposited directly and cash needs to be mailed or
some other channel must be used. It can be risky and quite inconvenient
if cash deposits are a regular activity. Also, in some cases, the postage
cost is the responsibility of the customer.
Another drawback of Internet banks is the possible ATM fee. Since these
banks do have any physical facilities, this means that Internet banks ma)
not have their own ATMs. In case of cash withdrawals, ATMs of other
banks must be used on a fee which could be quite expensive.
Despite the above limitations and drawbacks, the Internet banks are
becoming more and more popular around the world mainly because it s
easy and convenient to bank with them.
The other category of Internet banking is when it is offered as an

extended feature of physical banks. This type of Internet banking 5
something traditional banks are starting to offer as part of their standarc
service. Traditional banks have started setting up their own Interne:
banking facilities because more and more of their clients are asking for
the convenience of online banking. Internet banking has also allowe:
traditional banks to attract more clients who normally wouldn't go to a
brick-and-mortar bank.
Traditional banks normally offer two different types of Internet bankirc

The first type of service is to use personal finance software connect to
the bank's website. The personal finance software then adapts itself to
the services of the bank. Another type of Internet banking service is
where _ such software is used and customer connects directly to the
banic s website.
The most popular personal finance programs recognized by most ba are

Quicken and MSN Money. As customers use this software to ma_ their
accounts and track changes； they are connected with the ban:*!、
servers. Depending on the type of software and what online services
bank offers, account holders can basically control their account using
finance software. Using personal finance software for Internet banking'
very convenient because everything is contained in one package
budgeting tools to help manage money etc.
Even without the software, it is still possible to check accounts and bills
online using the bank's website. Banks require more strinv security
measures and may be a monthly fee to gain access to o services,
although free service provision is now common. The m management
tools on bank websites are also quite limited compared that of personal
finance software.
Regardless of the type of Internet banking facility used, custo

basically get the almost same service from both types. These Int
banking facilities have given traditional banking clients a
convenience and control over their accounts. It has made tradi'
banking more accessible by giving each client personal attention. Ov
Internet banking has made traditional banks better and stronger ever
before.
There are certain criteria that can help in choosing the right Internet
Top performing online banks have certain features in common that
them stand out from the competition. These features have a lot to
do the level of service, security and quality of an Internet bank.
Here's of features that a customer should look for in a good Internet
bank.

■ No Fees for Online Transactions. Most people use online banks in
Features of a Good order to pay their bills online. It's more convenient, it helps in
Internet Banking avoiding delayed payments. Banks may charge a monthly fee in
Model return of this facility. Most good Internet banks however don't
charge any fees for online payments offering this service for free.
■ Easy To Navigate Website. In traditional banking, it's the bank tellers

and the banking staff that provide customer service. For an Internet
bank, it's their website that allows them to interact with their clients
and provide customer service. This is why it's important that an
Internet bank should have a good website. Not only does it have to
be attractive. It also has to be easy to use, easy to navigate.
■ Excellent security features to ensure the protection of clients. High

availability (i.e. zero or near-zero downtime) ensuring always
available banking services. Customers need to be certain that their
personal and account information does not get stolen and is safe
when traveling on the network.
■ Good Website Tools. The service an internet bank provides is

dependent on the quality of available website tools. Internet banks
provide tools for archiving past transactions and allow viewing and
analyzing them. They have money management tools. They provide
email alerts whenever large amounts are withdrawn, when account
balance is low or whenever there's any unusual activity.
■ Good Customer care. No matter how well the bank's website is

designed, there may always be a need to talk to a banks
representative on line/through email. A good Internet bank will
always provide excellent, always available and easy online problem
rectification and customer support services.
Downtime
The impact of downtime can be devastating for banks. Customers use
Internet banking for convenience as it overcomes the limitations of time
and distance. In situations when the services are not available these
advantages are lost and so is the basic motive of Internet banking.
Customer satisfaction can plunge and bank may lose its clients to other
competitors.
Banks spend good portion of their overall and IT budgets on ensuring

24x7x365 operations. High availability facilities are developed or sourced
from outside, 99.999 (five-nine) level availability is guaranteed through
mission-critical redundant components. In case these services are
sourced from outside, Service Level Agreements define the quality of
service that the service provider must provide.
Banking Iteamty Internet banking facilities take security very seriously. Whether it's the
Features website of a traditional bank or an Internet-only bank, both spend a
considerable part of their budget in making sure their system is secure
and their clients are well protected.
iese: distribution channels/Networks in Financial Industry

Internet banking facilities usually use encryption programs to protect
their data. They also require passwords, personal identification numbers
(PINs) security keys for their clients to help verify their identity. All these
measures should ensure that only the valid account holder has access to
their accounts.
However, stories about identity thefts are common. These things happen
mainly due to human error. People can be careless and make mistakes
Hackers and thieves get past these strict security features because
careless customers give them the ability to do so. Some tips to improve
the security of Internet banking are：
■ Memorize PINs and passwords and don't write them anywhere.
■ Delete browsing history, cache and cookies regularly. Disable auto-

complete and auto-password save function of browser.
■ In case of multiple accounts, use a different username and pass for

each one.
■ Use strong passwords. Strong passwords are usually longer than

characters, uses a combination of letters, number, and s characters,
and uses upper and lower case letters.
■ Avoid accessing Internet banking accounts from public com (Internet

cafes) or unsecure servers.
■ Avoid storing Internet banking statements in computer or pas protect

such documents.
Point Of Sale
The acronym POS stands for "Point Of Sale". Generally this means the
exact location where a purchase is made and payment is completed.
This may include face-to-face sales transactions as well as purchases
made online. Whether customer is standing at a cashier counter or
checking out an online shopping cart, the precise place where
payment is made for goods or services ordered or received is
considered the point of sale - or POS.
Though most purchases are indeed made at a point of sale -

according to financial terminology - only those made with a PIN are
considered POS transactions. If a customer chooses to use the credit
option when processing payment it will not be considered a POS
transaction, he/she will be required to sign for the purchase and will
not have the option to receive cash back. Debit (POS) transactions do
not require a signature and unlike credit transactions, customers may
receive a cashback. Cashback is a service offered to retail customers
(not everywhere) whereby an amount is added to the total purchase
price of a transaction paid by debit card and the customer receives
that amount in cash along with the purchased product.
A POS terminal manages the selling process by a salesperson

accessible interface. The same system allows the creation and printing
of the receipt.

Early electronic cash registers were controlled with proprietary
software and were very limited in function and communications
capability. In 1973 IBM introduced Store Systems that were, in
essence, a mainframe computer used as a store controller that could
control point of sale registers. By mid-1974, it was installed in
selected Department Stores.
The first microprocessor-controlled cash register was built in 1974 for

McDonald's Restaurants. Each station was microprocessor controlled.
There was one button for every item. When the customer was ready
to pay, the [Total] button would calculate the bill. This made it
accurate for McDonald's and very convenient for the sales people
resulting is shorter wait times for customers in the queues.
Programmability allowed retailers to be more creative. In 1979 some

businesses were using POS software to take customer orders.
After many more such interesting innovations, in 1992 the first point
of sales software that could run on the Microsoft Windows platform
named IT-Retail was created. Since then a wide range of POS
applications have been developed on platforms such as Windows and
Unix. The availability of local processing power, local data storage,
networking, and graphical user interface made it possible to develop
flexible and highly functional POS systems. Cost of such systems also
declined with the passage of time making such systems possible to
use.
Information Technology in Financial Services 丨 Ref

POS systems gained more popularity as efforts were made to standaf
development of computerized POS systems that sim~"
interconnections of POS devices. Two such initiatives are OPOS
JavaPOS, both of which conform to the UnifiedPOS standard.
JavaPOS s Java what OPOS is for Windows. UnifiedPOS is a world-
wide vendor retailer driven initiative to provide vendor neutral
software appli interfaces for POS peripherals.
Post 2000, web based POS software were developed that can run on
computer with an internet connection and supported browser, wia
additional software. POS systems that are Internet based are usee
businesses with multiple locations. An owner can access the daily t
from all locations from a remote site, as well as track sales
throughout day. Franchises and businesses with satellite offices track
sales connected POS systems and build databases of consumer
demogr to guide marketing strategies.
Another variant and advancement in POS systems is Wireless point of

(wireless POS or WPOS) which is the use of wireless devices to fa
payment for products or services. Typically, a WPOS system consists af
base station directly connected to a central network and one or
handheld devices that communicate wirelessly.
WPOS can streamline many processes, from buying food at a

grocery or restaurant to more sophisticated transactions. Systems
may include ability to consummate sales, record and track customer
orders, pr credit cards, connect to other systems in a network, and
mar inventory. By enabling a vendor to make a transaction or adjus:
anywhere within range of the wireless network, WPOS can confirm t
a customer's ability to pay and ensure seamless delivery of the d
product or service. The technology can dramatically cut costs by：
■ Eliminating wait times for sales or service
■ Increasing the productivity of individual workers
_ Reducing the cost requirements posed by wired installations.

The most common vehicle for a wireless POS transaction is an (radio-
frequency identification) system that employs small transpo also called
tags, embedded in or attached to specific items. RFID syst use
transmitters and receivers in the radio frequency (RF) portion oJ
electromagnetic spectrum to uniquely identify objects or people,
technology is coming into increasing use in industry as an alternative
the bar code system. Wi-Fi has also entered the marketplace as
alternative standard for WPOS, allowing for similar functions existing
networks.
Nowadays, Point of Sale Software is only as good as its integration

the many popular software & services of the company. Example of
software is accounting programs, where all of the daily activities
transactions would automatically imported into accounting without
labor on the user's end.
The key requirements that must be met by modern POS systems incl
high and consistent operating speed, reliability, ease of use, remote

supportability, low cost, and rich functionality. Most POS hardware
also includes barcode swipers that allow the cashier to electronically
capture the price, which is automatically entered into the transaction
and inventory control programs.
Most POS hardware can be bought separately as plug-and-play

devices from different companies. Merchants use point-of-sale (POS)
systems to take customer payments by credit cards. Point of sale
(POS) payment software allows merchants to collect payments
through debit and credit cards immediately when the customer pays
rather than waiting to submit credit card payments at the end of each
day or according to another company preferred schedule. The POS
terminals are typically connected directly to a bank that can credit the
user's account and show payment on the merchant's books. A
financial tracking system is connected to POS terminals through
systems that process credit and debit card payments.
The merchant is charged a fee every time a POS system is used.

Merchants receive additional benefits from POS systems, including the
ability to display the transaction, calculate taxes and discounts and
show payments made. Inventory can be attached to the POS system
so that each item sold is automatically removed from the inventory
report. Customer preferences, addresses and emails also can be
included in the information provided by the software programs.
Acknowledging the importance of security requirements, The Secure

POS Vendor Alliance (SPVA), a non-profit organization was formed to
increase awareness of, and improve, payment security in the electronic
point-of-sale industry. The SPVA was founded by the three largest
suppliers of point-of-sale payment terminals.
POS Downtime Points of sales systems/devices are computer-enabled and therefore

susceptible.to familiar IT-related problems and risks. Most common
being power outages, networking problems, software errors and
hardware failures. Web POS systems are connected to the World Wide
Web and the dangers of virus attacks and denial of service attacks are
real. Whatever may be the reason of POS unavailability, the net result
is the same - lost business and unsatisfied customers. Companies
relying heavily on POS channel must spend generously on them to
guarantee their availability and security. First-level defense techniques
include use of redundant power supplies, fire-walling web-enabled
POS systems, use of anti-malware software etc.
POS Problems
Point of sale systems often features a complex arrangement of
hardware, software and network connections. POS systems rely on
predictable operation, and problems can appear when hardware,
software or concerned humans do not perform as expected.
Hardware Issues
Point of sale systems often involve an array of devices connected with
one another using physical cables or secured wireless protocols.
Typical

POS components include workstations with screens and keyboards, bar-
code scanners, check readers, display screens, cash drawers, receipt
printers, customer-facing displays and remote data scanning devices. When
one of these devices fails, the entire system may stop working correctly.
Many POS systems also include a central server that processes data and
coordinates system-wide activity. These servers can experience problems
like hard drive and memory failure and other problems commonly
associated with personal computers.
Software Issues
Just as POS systems rely on computer-like hardware, they also rely on
computer operating systems and special software to perform point of sals
functionality. Central servers and checkout workstations often run
operating systems similar to those found on personal computers. POS
equipment also uses software applications to handle credit card
processing, inventory tracking, accounting and other sales-relate: functions.
When POS software encounters an error, or when too mu<r software
overloads the computer processor or memory, the system can stop
working.
Connectivity Issues
When a customer presents a credit or debit card as payment, the point
erf； sale system must transmit the account information to the credit card;
processing network. According to the Merchant Account Guide webste,|
POS systems usually rely on either dial-up modems or broadband Internet
services to connect to the processing network. If the network connectionj
becomes unavailable, the system will lose the ability to process credit and
debit transactions； some systems may also lose the ability to verify check
payments. In addition, dial-up connections must have clear audio to
communicate with the credit card network properly. If any static exists am
the line, the POS system may lose the ability to process credit, debit ami
check transactions.
Human-related Errors
Because of the complexity of point of sale systems, concerned staff receive
extensive training on how to perform transactions and opers— the system.
If incorrect information is provided or wrong applications launched, POS
systems may become unpredictable or fail to proc transactions correctly.
POS systems are becoming popular in Pakistan and are finding their
into businesses as firms and customers realize the safety and conveni
these systems offer. POS hardware vendors are also making their eff in
making POS technology popular. Many businesses are using native
software as it is cost-effective and tailored to specific needs of country.
Poor literacy rate in general and less technology awareness particular
are significant hindrances in its wide-spread use together cultural
barriers and lack of trust as perceived both by buyers and sei丨'
Summary The new IT-based banking channels of service delivery are independent
time and distance restrictions making them even more useful valuable
for organizations. The net result is the popularity of bran
banking. Branchless banking is a distribution channel strategy used for delivering
financial services without relying on bank branches. Examples of branchless banking
technologies are the Internet, automated teller machines (ATMs), POS devices and

mobile phones etc. The key to success is not solely technological innovation, but also
integrity. For branchless banking to work, it must be transparent and trusted by the
customer. The objectives of the SBP Regulations are to define Branchless Banking
activities as a new delivery channel to offer banking services in a cost effective manner.
Phone banking is a service provided by a financial institution, which allows its customers
to perform transactions over the phone. Phone banking requires a call center which is a
centralized location used for the purpose of receiving and transmitting a large volume of
requests by telephone. A call center may be operated by a company to administer
incoming product support or information inquiries from bank consumers. Computer
Telephony Integration is a set of technologies for integrating and managing computers
and telephone systems. CTI enables the telephone system to display information via the
computer. Interactive voice response (IVR) is a technology that allows a computer to
interact with humans through the use of voice and telephone keypad inputs. Downtime
is the duration during which their services are not available. Mobile Banking (also known
as M-Banking, mbanking, SMS Banking) refers to provision and availability of banking
and financial services with the help of mobile telecommunication devices even when
users are miles away from their nearest branch or home computer. Banks classify
mobile-phone services based on how information flows. A pull transaction s one in
which a mobile phone user actively requests a service or nformation from the bank. A
push transaction, on the other hand, is one n which the bank sends information based
on a set of rules. WAP is the technology architecture that makes accessing Internet
pages possible from a mobile phone. An Automated Teller Machine (ATM) is a
computerized telecommunications device that provides the clients of a financial
institution with access to financial transactions in a public place without the need for a
cashier, human clerk or bank teller. An Internet bank is the modern alternative to the
traditional bricks-and-mortar (physically existing) banks. An Internet bank is not
necessarily the same as an online banking facility of an established bank. A pure Internet
bank exists entirely online. These are legitimate banks and all transactions are done over
the Internet. Internet banks basically give all the services of a traditional bank except
that they don't have the physical structure of a bank. POS stands for "Point Of Sale".
Generally this means the exact location where a purchase is made and payment is
completed. This may include face-to-face sales transactions as well as purchases made
online. Whether customer is standing at a cashier counter or checking out an online
shopping cart, the precise place where payment is made for goods or services ordered
or received is considered the point of sale. Post 2000, web based POS software were
developed that can run on any computer with an Internet connection and supported
browser, without additional software.

This chapter is compiled using content on the web at following nor exhaustive list of
URLs.
Reference
Links http://www.callcentrehelper.com/the-top-ten-call-centre-problerns-12637.htm
http://en.wikipedia.org/wiki/Virtual_queue
Article Source： http://EzineArticles.com/1731778
http://www.articlesbase.com/banking-articles/mobile-banking-definition-and-advantai es 1163722.html#axzz1 QZ360Nzf
http://money.howstuffworks.com/personal-finance/online-banking/mobile-bankingl.ii tm
How Does Internet Banking Work? | eHow.com
http://www.ehow.eom/how-does_5062750_lnternet-banking-work.html#ixzz1Qy o
How Do POS Systems Work? | eHow.com
http://www.ehow.eom/how-does_4922753_pos-systems-work.html#ixzz1RychZvoW Point of Sale Problems | eHow.com
http://www.ehow.eom/info_8091513_point-saleproblems.html#ixzz1RyXiB2qs How Does Point of Sale Work? | eHow.com
http://www.ehow.eom/how-does_4899343_point-sale-work.html#ixzz1RmYSqKNp
http://www.sbp.org.pk/psd/reports/2010/Status_Report_Q_2-12-11.pdf (http://www.sbp.org.pk/bprd/2011 /C9-Enclosure-2.pdf)
Part 6: Emerging Technology Trends
in Financial Sector
In this part Contactless payment solutions
Branchless banking
Micropayment Solutions
Open Source software (alternatives to Microsoft and
other propriety products)
Image based cheque processing system Biometric
ATMs
Store Value Cards

Part Six Emerging Technology Trends in the
Financial Sector
Learing Outcome By the end of this chapter you should be able to：
■ State the concept of contactless payment solutions _
State the concept of NFD (Near Field Display)
■ State the concept of Voice-based transactions
■ State the concept of micro payment solutions
■ Recognize the features and benefits of using free and
open so software and the areas in which they are used
■ Recognize the potential problems with using free and
open s Software
■ Describe the image-based cheque processing system
■ List the features and the functionality of Biometric ATMs
_ List the features and the functionality of Stored Value Cards
The banking and financial sector has always welcomed techn

innovations in the past and this trend continues today with more
enthi than ever before. The rivalry between financial sector
organizations in of offering information-based products and services
New Technology
and providing customer services has encouraged technology to
Trends in the
become an integral of operations and strategy. The chief executives
Financial Sector
of financial organizations are now asserting their roles very strongly
and have left offices to find their way to the board rooms and in
forums to de long-term future of the organizations. During the
recent times technology-based functionality has been adopted in
banks, espe customer-facing operations. The main objectives are to
provide service, improve asset efficiency, reduce cycle times, reduce
total technology ownership and bring efficiency in general to all
functions of the latest trends and their enabling technologies are
discussed chapter.
Near Field Near Field Communication, or NFC, enables simple transactions,

Communication exchange and connections with a touch. Formed in 2004, the Near
Communication Forum (NFC Forum) promotes sharing, pairing and
tra between NFC devices and develops and certifies device
compliance NFC standards. A Smartphone or tablet with an NFC chip
can make a card payment or serve as keycard or ID card. NFC-
enabled devic example, can read NFC tags on advertisement posters
to obtain information or an audio or video presentation.
NFC isn't really new or cutting edge. In fact, it's basically a variation
of short-range wireless technologies already used throughout the wc
field communication can quickly swap information between devices
they're touched together. Text, images or other data can simply be i
by holding an NFC-enabled phone up to various "smart
Near field communication (NFC) technology aims to bring more
160
Information Technology in Financial Services | Ref
and convenience by making exchange of digital data, connection of
electronic devices, and transactions far easier. NFC technology finds
application especially in mobile phones which work by identifying NFC
tags in another device which is in dose range (4 to 10 cm) leading to
exchange of data between the two. Near field communication
technology is actually an evolution of RFID (Radio Frequency
Identification) technology for contactless payment systems.
NFC technology is also believed to be very similar to Bluetooth

technology with the difference that it only requires two mobile devices
in close proximity without any need to establish the pairing of two
devices to work together, as in the case of Bluetooth.
Based on inductive-coupling, NFC uses loosely coupled inductive

circuits to exchange power and/or data over a short distance (usually
about four centimeters). While it shares the same basic technology with
RFID tags and contactless smartcards, NFC is implemented as a read-
only technology. That means readers only get information from other
NFC tags, not the other way around. These tags cost extremely less to
implement and can be embedded in nearly anything： stickers, posters,
glass, and so on.
Emerging NFC standards allow customers to quickly purchase products

and transfer secure information by touching devices. NFC allows
companies to reduce staffing, printing, and point of sale costs.
Technologically speaking, NFC is a set of short-range wireless

technologies, typically requiring a distance of 4 cm or less. NFC
operates at 13.56 MHz on ISO/IEC 18000-3 air interface and at rates
ranging from 106 kb/s to 848 kb/s. NFC always involves an initiator and
a target； the initiator actively generates an RF field that can power a
passive target. This enables NFC targets to take very small physical
shapes such as tags, stickers, key fobs, or cards that do not require
batteries. NFC peer-to-peer communication is also possible, where both
devices are powered.
Compared to other wireless protocols like Wi-Fi or Bluetooth, NFC is

exceedingly slow； with a maximum data transfer speed of 0.424 Mbps,
less than a quarter that of Bluetooth. But NFC has several key
advantages over Bluetooth： it consumes a mere 15 mA of power, it has
the possibility for greater security (more on this later), and it forgoes
the involved "pairing" process of Bluetooth entirely. Bluetooth needs to
be configured； NFC is completely effort-free, requiring nothing more
than a tap.
The three main concepts that the NFC Forum, the main association of
companies promoting NFC, is pushing are "sharing, pairing, and
transaction."
Transaction is the most obvious of the three, and the most popular. A
smartphone with an NFC chip could very easily be configured to work
as a credit or debit card, just tap the phone against an NFC-enabled
payment terminal and the transaction is completed in no time. But
that's really only the start of what NFC can do in terms of transaction.
NFC could work well for public transit passes, library cards, hotel room
keycards, and office building passcards. Even government-issued IDs
■ Information Technology in Financial Services | Ref

like driver's licenses and passports can be replaced or augmented with
NFC.
It's all possible, and relatively easy. Even keys could someday become
a relic of the past, replaced by the tap of a phone to a lock. Sharing
ani pairing concepts are more complicated and beyond the scope of
tma discussion.
NFC is inherently worrisome in that it promotes the transmission

ofi sensitive data through the air and that data could theoretically
be snat The NFC protocol itself has surprisingly few actual
safeguards against snatching, and the protections the NFC Forum
does highlight are s:- logical extensions of the physical nature of
the protocol. For example 4-inch transmission zone would
theoretically make it a challenge difficult to steal data wholesale.
There's also the ability to simply turn off when not in use, which
could curtail some piracy, if one remenr: do it each time. But
that's not really enough； it's like declaring a m, generally safe just
because it's difficult for a pickpocket to get close to snatch it
undetected.
The NFC standard leaves any kind of advanced protection, like enai
or password protection, up to the business that uses it, e.g. ban&J
relatively easy for most companies to embed encryption or a but
they still have to do it.
Despite some concerns, NFC still has great potential in developing

ca applications for the market in the near future. Some major
areas of are as follows：
■ Transportation： NFC can be used for contactless payment

of 1^ in public transportation systems like railways and
buses. Ew.. a person travels, the check-in (parking fee and
purchasing tick^ check-out can be done by using their
mobile phone to touch S tags and the amount can be
deducted from their source of directly.
■ Contactless Payments： This involves payment through credl

the information being identified by reading the NFC tags by
the devices used by a customer. This can be used for
shoppir restaurant, or to use and share coupons with
friends. This * benefit the loyalty programs of stores and act
like a digital a person.
■ Healthcare: It finds wide application in the healthcare domain
Ei>erging Technology Trends in Financial Sector 162

as research areas for various ailments. The NFC tags can be
scanned by healthcare professionals as well as nurses taking care
of patients, and the data can be stored in a database. The history
of the patient's visit and the edication given can easily be
accessed whenever required by a doctor. This has great potential
to improve healthcare standards across the world.
■ Marketing： Near field communication finds great usage by

marketers for advertising their products to a wider audience by
using NFC Smart Posters. A person can simply touch the NFC-
enabled phone with a poster (which has a NFC tag) to get all the
information about promotions, coupons, and tickets for an event,
movie, or play. This means everything related to an event can be
transferred to the phone with the help of NFC posters even while
a person is travelling. Smart posters are an way of viral
marketing and attracting new customers for a product or service.
A Smart poster is already under trial in the Asia Pacific region so
they could be widely used in the near future.
Near field communication technology is rapidly gaining popularity,

especially after successful trials in various parts of the world. Once
NFC-enabled mobile phones are more widely available in the market,
the applications will be countless.
Contactless Payment Contactless technology, an application of NFC technology, is fast gaining

Systems popularity and is an easy way to complete a transaction quickly and securely.
The introduction of EMV chip technology is producing new, faster and
more convenient ways to pay. The payment process involves no
physical contact between the. consumer payment device and the
physical point of sale (POS) terminal. The consumer holds the
contactless card in close proximity to the POS terminal (approximately
4 cm) and the payment information is communicated wirelessly via
radio frequency.
Contactless payment terminals have already become the present and

future of credit card transactions. Also known as "tap and pay",
contactless payment provides benefits to retailers and consumers
alike, particularly in the areas of speed and convenience. Retailers with
major POS terminal providers are fast upgrading their existing system
with plug-and-play contactless payment devices.
Contactless payments are thought to be one of the most important

card payment innovations of recent times. With investments by the
card associations and early adoption on the part of major card issuers
and top- branded merchants, contactless payments are already m the hands of
millions of consumers and in the checkout lane of thousands of
merchants. Retailers have traditionally avoided using payment cards
for low-value transactions because the processing is too costly. With
contactless technology, all of these problems no longer exist and a
growing number of retail companies are adopting contactless
technology.
In environments where speed and convenience are important,

contactless payments can add demonstrable value. The RF-based
contactless payment devices are easy to use； consumers like the
increased speed and control of transactions and are increasingly using
the devices instead of cash. In many parts of the world, contactless
credit and debit cards are enabling
Technology Trends in Financial Sector 163

consumers to pay more easily than with cash at movie theaters, fast
food restaurants, casual dining establishments, convenience stores, and
fuel stations. Contactless is also ideal for other markets such as
unattended and self service payment systems such as ticket vending
and parking^
Consumers no longer have to fumble with cash and change or worry

abnaf having enough cash for a purchase - they can place their
contactless paymenJ device in close proximity to a reader. In most cases,
they don't even ham to sign a receipt or enter a PIN. There is
definitely a big market for this renj technology and research proves
this. Research results have shown customers get through the line 53%
faster with contactless than w: magnetic stripe transactions, and 63%
faster than cash. Customers spent 25-33% more with contactless than
with cash.
American Express, Discover Network, MasterCard and Visa, in

concert« their issuers, have implemented new programs and rules
designed encourage adoption of contactless payments. These
programs are ty aimed at transactions below a certain amount,
although setting an a— limit is not necessary.
Contactless Payments Although based on chip-level RF technology, contactless payment

are Safe and Secure techi is fundamentally different from RFID and is built from the
ground up requirements for high security. Contactless payments
devices are sophist: smart chip technology with built-in
intelligence and multiple safeg specifically designed to protect
against fraud. Built on the current pay infrastructure, contactless
payments leverage layered secun
Consumer account information is stored securely on the chip and

the themselves are tamper-resistant and extremely difficult to
duplicale| payment transaction initiated by the contactless smart
card's bu/t-isi is considered much more secure than one initiated
with a magnetic card.
Breakdown by Taiêt Market

SaKes Volume - 2011
Cont
d
e’1fi
%
=ir»rfging Technology Trends in Financial Sector 164

As an extra safeguard, a contactless payment system may allow
consumers to use their card or payment device up to four or five
times, before they will be prompted to input their PIN number. A
transaction limit will be set and then the consumer can purchase items
of this value without needing to input their PIN, until the set number
of transactions has been reached. If a consumer were to lose their
card, then the bank could only lose a maximum amount equal to the
set limit.
Standards are important for the adoption of technology as they

provide the ability to have multiple sources of products based on the
same standard. The major international card associations (MasterCard,
Visa, and American Express) offer RF-based contactless payment
technology complying with the ISO 14443 standard. A Single Industry
Standard-based (ISO 14443) RF contactless smart card technology
means that the same contactless payment device can be used to
accept payment from American Express ExpressPay, Discover Network,
MasterCard PayPass and Visa Contactless.
Mobile Phone
Payments A surprising number of people still do not have access to credit or
debit cards. In contrast it is estimated that over five billion people
across the world have access to a mobile phone. Contactless
technology therefore could be incorporated into a mobile phone cover
or attached to the phone itself, allowing people that do not have a
high credit rating to access the technology without having to use a
bank card.
Mobile phones may become the payment choice of consumers who

would rather tap a mobile phone against a contactless reader than dig
around and search for a payment card. The industry is already moving
to mobile phones to conduct contactless payments. Several Near Field
Communication (NFC) technology pilot projects have been launched to
deliver contactless payment capabilities.
Contactless payment technology continues to develop - but the

question is that will its implementation become a rollercoaster ride for
retailers and will hard currency become harder to find in the future?
Perhaps cash will always be necessary； it is something that we all
carry in our pockets for quick and easy small-scale purchases and a
whole industry exists purely to handle and transport it.
Micropayment A micropayment is a financial transaction involving a very small sum of

Systems
money and usually one that occurs online. Micropayments were
originally envisioned to involve smaller sums of money. One problem
that has prevented their overwhelming success is a need to keep costs
for individual transactions low, which is impractical when transacting
such small sums even if the transaction fee is extremely low.
Micropayments are a practical means of transferring very small
amounts of money, in situations where collecting such small amounts
with the usual payment systems is impractical or very expensive, in
terms of the amount of money being collected.
In the non-digital world, micropayments themselves are not new.

People have been paying cash for small purchases for hundreds of
years. What is relatively new though is using non-cash, contactless or
other electronic methods to make these payments, for online sales and
for sales of goods in the "real" world at the point-of-sale.
165
Why have the electronic versions of micropayments become so im to
banks and businesses? Because handling cash is very expensive. It to
be collected, counted, stored, handled and redistributed. Banks
merchants need to find a way to cut those costs. It has been est r that
a vast majority of credit card sales are small purchases； banks
businesses therefore need to find a way to facilitate these payments
digital world.
Credit cards are not really a viable alternative to cash for micropay.-
since the transaction charges to the merchant and the cost to the k are
too high. Paying a flat fee charge plus an interchange fee on purchase price,
for example, on a small value purchase, does not good business sense
for merchants. Neither does having all the customers wait in line while
the card is swiped, the slip printed and all for a small purchase.
There have been many forms of micropayment vehicles launched past

few years and there have been some notable failures, such as ~
Cybercoin, Digicash and Internet Dollar.
The biggest obstacle to success in the micropayment world has

been consumers and merchants to embrace the electronic
micropayment systems, i.e. achieving the critical mass of users.
Customers think of cash as free. If it is too much work to use a

reload it, they will not use it. The Mondex stored value card sy:
Canada) is a good example. Mondex sounded like a great idea -
丨oai onto a card and then, as it is used up reload it. However,
Mondex in part, because there were only a limited number of
locations w! could be reloaded and it took effort on the part of the
consumer. The convenience did not outweigh the pain of using the
card. So if cor— cannot depend on the system to be as reliable and
worry-free as will not be a success.
At the merchant level, a micropayment system also needs an ac price

point, minimal merchant intervention and technology acce" it does not
have these things, the system will not achieve a critical mass and the
venture will fail. Merchants will not invest in the * money required to
install new readers, train their staff and cha they accept payment if it
is not going to pay off.
So, what has caused the failures of previous micropayment syst a

combination of：
■ Requiring consumers to carry multiple cards (based on tr
nature/amount)
■ Fees
_ Too complicated to use or reload _ Not enough merchants
accepting it
• Technical glitches.
For these reasons micropayment systems have not yet penetr market as
much as they should have. The critical mass of users h reached in some
industrial countries where the Internet has a penetration. There is a
need to analyze this new "player" and u

Micropayments have special characteristics and requirements, distinct
from those of electronic payment systems in general. A micropayment
system provides a means of transferring small monetary amounts and
serves as a convenient alternative to traditional payment
arrangements. They provide an alternative revenue source for content
providers beyond advertising and subscriptions. They may also provide
additional revenue streams for service providers. The new
micropayment system is developed using a tamper- resistant device
(i.e., smart card), an efficient Message Authentication Code (MAC)
technique, and the concept of overall network security.
A micropayment system involves：

■ A buyer / client
■ A vendor / data editor
■ One or more brokers / intermediates / billing servers
A micropayment system has buyers, sellers, and a broker. The buyers

establish accounts with the broker and provide payment information
allowing the broker to invoice the buyers. The sellers establish
accounts with the brokers and specify terms for accessing items,
including electronic content (music, e-books etc), available from the
sellers. The sellers also provide payment information that allows the
broker to credit the sellers for sales of the items. The broker
aggregates the buyers' micropayment purchases and invoices the
buyers. The broker also aggregates the sellers' micropayment sales
and credits the sellers.
Micropayment Types Micropayment systems typically take the form of stored value cards or RFID key
fobs, credit-based systems, or account-based systems.
Stored Value Cards
Storing value on a card or other product involves embedding
and Fobs/Tags
monetary value on an access device. In the case of card-based
products, the stored value is stored in a microprocessor chip
embedded in a plastic card.
The stored value cards can be loaded with funds from the bank
account and then, as purchases are made, the funds are used up. The
cards can usually be re-loaded from the provider's web site, by phone
or at certain merchants. The most common forms of this type of
product are transit passes, debit-style pre-paid gift cards, e-purses and
cash cards. Stored value products are also referred to as electronic
money or e-money.
The chip technology used in these stored value products tracks the
value remaining on the device. There is no link from the card or key
fob to the consumer's bank account so if the card or the fob is lost,
the only exposure is the amount left in stored value. The money is
gone but the bank account is not compromised.
The cards can be loaded and re-loaded at ATMs, at selected merchant

outlets and through a direct link to a bank account or credit card. The
stored value cards are meant to be a substitute for bank notes and coins. The
limits placed on the amount that can be loaded on the card at any one time are
relatively low and this also contributes to the potential for low theft
risk.
Credit-Based ..ザ:tsms Credit-based systems use credit cards as the payment vehicle and
or Products remain
167
the new
domain ofthat
issues the arise
majorby financial institutions
the introduction andtotypical
of MPSs credit
everyday life.
companies - who now prefer to be known as "payment" comp
In order to try to solve the problem of many fees for small tran
these credit-based products depend on a concept known as "aggr
to allow micropayments to be made. Aggregation bundles multiple
transactions into one larger one to reduce the transaction charges
ar>: For example, when someone buys 10 songs from iTunes.com,
the card does not show 10 separate charges, but the total of all tra
plus any taxes. Buyers are charged any fees only once for the ag
transaction amount and the merchant only pays one fee as
The challenge for the banking industry has been to find a way to a
the consolidated charge. Instead of the more standard direct aut of
the credit card transaction between the merchant and the car
institution, with the micropayment aggregation model, each small u
is not individually authenticated. This can create security headaches
issuing financial institutions since they cannot determine, at the
sale, whether the cardholder has authorized the pir'
Many credit-based products are also relying on RFID and CHIP s

eliminate the need for a signature or a PIN and also to make the
more secure.
Account-Based Systems The most common type of account-based product is the debit
or Products accesses funds in the bank account (of the user) directly and
tran funds to the merchant account.
The requirement for a PIN can slow down the process and le&d
product not being used for micropayments. Like the credit-based
the introduction of contactless products helps with this
The major difference between account-based systems and credit

systems resides in whose money is being used to pay. In an accou
system, the money is the buyer's, whereas with a credit-based s'
money is the bank.
Legal and Policy In most instances, micropayment products have not been arouri
Issues survived long enough for all the legal issues to be explored or r
There are, however, some interesting legal and policy issues that
explored, for example：
_ Does the issuance of e-money, which is meant to be a sub

coins and paper currency, create a new money supply? If
have any effect on the monetary policy of countries that
have systems using e-money?
■ Will e-money issuers that are not regulated financial insti
required to report to a central authority on the amount of
issued?
■ What happens to the remaining stored value on a merchant
when the merchant closes his business? Consumer
protection will have to address this, perhaps through the
requirement funds to be placed in secure escrowed trust
accounts.
■ Is privacy really assured with the use of RFID? What happens
'itfpiii Technology Trends in Financial Sector

is a security breach at an unregulated stored value facilitator or
intermediary?
_ Consumer protection concerns with respect to assurances of
confidentiality, security and the viability and identity of any third
party micropayment processors needs to be addressed on an
ongoing basis. _ Should companies wishing to issue e-money be
subject to regulatory supervision which will ensure that they
meet minimum requirements for licensing, solvency, liquidity, risk
management and security?
■ As new technologies are developed, or older ones adapted, the
potential for patent infringements increases and so will the
number of infringement lawsuits.
All developers and sellers of micropayment systems understand the

need to secure the transactions made using their systems. It is
critically important that others do not have the ability to create
counterfeit value. The RFID chip card is meant to accomplish this,
since the chip cannot be read or duplicated and so, if someone steals
a stored value card and does not have the customer's PIN, the
remaining value can be used by the thief but the card cannot be
reloaded without the PIN.
Stored value cards (gift cards or keypass payment cards for example)
are valuable tools for merchants because they can be tied to
marketing campaigns and loyalty programs and build a consistent
customer base. However, personal information such as the customer's
name and address, as well as buying habits and recent purchases is
collected as part of these cards. This personal information is not only
sensitive, it is extremely valuable and it must be protected and
collected only in accordance with relevant privacy laws. The potential
for abuses can be high.
All of the legal, security and privacy issues become particularly

important if any of the business operations of the e-money provider
are outsourced -particularly if outsourced to a jurisdiction that does
not have a strong banking and credit regulatory regime.
Even though the Internet, e-commerce and the technology to

facilitate online micropayments have been around now for many
years, it appears that the micropayments field is still developing.
In many instances, the classic "chicken and egg" dilemma stalls the
implementation of new products. Consumers and merchants will not
embrace the new products until they can be sure that the product will
be widely accepted and easy to use. However, the product cannot be
widely accepted until a critical mass of consumers and merchants use
it.
It may be that the already recognized players in this field, the

credit/payment institutions, will dominate the micropayments field
overall because they are known players, are trusted by merchants and
consumers to provide a product that works, and are already
producing and marketing products for other payment systems that
are in widespread use.
Finally, one of the keys appears to be the ability to ensure that

appropriate technical and security standards are in place to ensure
that merchants do not need to install multiple readers and systems
and that customers do not have to change their buying habits and
Sector 169
lifestyle to use the technology.

Wei! known proprietary software is supplied under a license agree
which may require a fee to use the software, or may limit the number
Open Source machines the software can be used on and which usually prohibits a
Software copying or redistribution.
However, open source software can be used, modified and improved

anyone and can be redistributed freely. That is, open source softw_
made available under a different type of license that allows users to
copy, redistribute and modify the source code. Software is considered
be "open source" if its source code is available under a license appr by
the Open Source initiative (OSI).
When a reference is made to open source software as "free" so does

mean the free trials or free cut-down versions of neither proprr.
software nor software which is supplied free of charge (known as
"freer: although in practice most open source software is free in this
sense as "Free〃 in the definition of open source software is not used
in the sense but refers to programs where the computer code which
create software is made available to everyone with few or no restri
—■
For software to be considered "free", it must allow four funda

freedoms first identified by the Free Software Foundation：
■ The freedom to run the software for any purpose.

■ The freedom to study and modify the software.
_ The freedom to copy the software.
■ The freedom to improve the software
The two concepts, "free〃 and "open source", are closely related - the；
is an attempt to codify "software freedom" into a copyright lice this
reason Open Source Software is referred to as Free Software or FOSS
or FLOSS. FOSS is Free Open Source Software, FLOSS stands for Libre
Open Source Software. Libre is included to make the distir between
being free of cost/charge and being free as in the freedoms above.
Open Source Software is usually (but not necessarily) free of at the
point of acquisition but it is not necessarily free of cost in t support.
This open approach means that anyone can study and alter the source
and therefore contribute to the development process.
Development of The open availability of source code results in a very different

open source deve model to proprietary software. Proprietary software is
software typically ere teams of developers paid by companies to create
programs which to users to make a profit. The company will have
made an inves「 the development of the code and it is in their
interest to protect tbs and the ideas contained within it. it will not
necessarily be in the c interest to ensure their software is
compatible with other co software or hardware.
Open source software, on the other hand, is developed using an

collaborative approach where the outcomes of this joint effort are
available without charge. The program code is not kept closed
published for others to study and improve as part of this spirit of and
collaboration.

Open source projects are usually initiated by an individual or small
group of people with an idea for software they want to develop. They
start writing the code to bring the idea into reality, and will often
make an early version of the application available to demonstrate how
the software will work (hence the open source mantra, "release early,
release often〃). They then make the code freely available so others
can join in the development process, for example by contributing
their own ideas for features and improvements, working on bug fixes
and amending and developing the source code to incorporate new
ideas.
This can result in a very rapid development process as more and

more developers get involved and start contributing. Teams can
become large and global as they communicate via the web；
communities of developers and users are formed around the program
with everyone sharing ideas and information with the common goal
of making the program better and more stable, more capable, more
useful.
Developers often come from a wide variety of countries leading to

the creation of localized versions in many different languages.
Benefits of open The main benefits of open source software for most users are that there
source software are no restrictions on use and that the software is usually free to
acquire.
Programs can be installed on as many computers as required without
costing anything.
Another benefit of open source software is that it frees the user from
the 'vendor lock-in' associated with many proprietary programs. Lock-
in is where a company makes software incompatible with that of their
rivals forcing the user to stick with one company's programs. Open
source software tends to use open standards, thus improving
compatibility between software packages.
Open source software is usually very similar to its proprietary

counterparts so that users should encounter similar interfaces, giving
the same familiar look and feel. Skills learnt using proprietary software
can be transferred to open source software as most of the features
are broadly similar. For example, OpenOffice.org is a free suite of
Office tools - the counterpart of Microsoft Office. It has the same core
components as proprietary options, such as a word processor,
spreadsheet and presentation builder. The programs function in a very
similar way to proprietary alternatives； for example the way in which
the text is formatted in MS Word processor or data is entered into
cells in MS Excel.

What programs are available as open source?
There is a very wide range in most categories of computer so including office tools
(e.g. word processing, spreadsheets, presenta desktop publishing, databases), internet
tools (e.g. e-mail, browsers), based applications (e.g. content management systems,
inform management systems), graphics, video and audio tools, utilities and opニ
systems. There is an open source alternative to most of the major propri applications.
Different types of open source software alternatives to specific proprietary can be
located at http：//www.osalt.c
Linux (operating system), Mozilla (Netscape browser core), Apache server), PERL (Web
scripting language) and PNG (graphics file format» all examples of very popular
software that is based on open s
A common concern for businesses and end-users who wish to use _r source software is
the lack of a warranty and technical support. Beeニ-. the software's license encourages
modification and customization, ■ nearly impossible to provide support. Many firms
sell the open sot software and the main value added is the provision of warranty and
techr support. For most businesses, the assurance of technical support is gene a key
factor in the decision to buy the open source software instead simply downloading it
for free.
Open Source's proponents often claim that it offers significant be when compared to
typical commercial products. Commercial prod typically favor visible features (giving
marketing advantage) over to measure qualities such as stability, security and similar
less gla attributes. This can be described as the quality versus features phen
Open Source software developers are evidently motivated by many but favoring
features over quality is not noticeable amongst them. For developers, peer review and
acclaim is important, so it's likely that will prefer to build software that is admired by
their peers. Highly factors are clean design, reliability and maintainability, with adher
standards and shared community values preeminent.
In addition, most users of Open Source products have access to the code and
debugging tools, hence often suggest both bug fixes enhancements as actual changes
to the source code. Conseque quality of software produced by the Open Source
community so exceeds that produced by purely commercial organize
Reasons to use Focus: Open source software gets closest to what users want because users
open source can have a hand in making it so. It's not a matter of the vendor users what
it thinks they want -users and developers themselve-f what they want.
Customizability： Business users can take a piece of open source so alter it to

suit their needs. Since the code is open, it's simply a modifying it to add the
functionality they want. That's impos proprietary software.
Freedom： When businesses turn to open source software, they free from the
severe vendor lock-in that can afflict users of proprietary Customers of such
vendors are at the mercy of the venders

requirements, dictates, prices, priorities and timetable, and that limits what they can do
with the products they're paying for.
Interoperability： Open source software is much better at adhering to open standards

than proprietary software is.
The opponents of open source software also put forward their point of views and
concerns. They believe that good quality software is created by careful planning and
cooporation by a close-knit team of programmers and not necessarily by a large
community - number is not important, they say. They also worry about the technical
support (already discussed). The OSS opponents finally claim that most free software is
poor or unusable. It’s not apparent because protagonists like to use the isolated points
fallacy to sell the idea that OSS is great. The 'isolated points fallacy' consists of taking the
high scoring points on the graph and ignoring all the other points. Hence OSS champions
highlight few examples of success - Star Office, Emacs, Red Hat Linux, and SBCL - ignoring
the vast sea of barely floating half submerged buggy and abandoned open source
software development projects.
Image-Based Paper cheques provide consumers and businesses with a critical alternative
Cheque payments mechanism. While total volume continues to decline, still billions of
Processing cheques are written and processed each year, and consumers and businesses
worldwide remain confident and satisfied with writing cheques. However, cheque
processing is experiencing a radical change as financial institutions and their customers
now have new, more efficient ways to process and clear cheques. Financial institutions
need to develop and implement a cheque image clearing strategy to remain competitive
in the future.
Since its implementation in October 2004, the Cheque Clearing for the 21st Century Act
(Check 21)has enabled greater use of imaging technology for cheque clearing. Because of
this law, financial institutions are empowered to convert original paper cheques to
electronic images for clearing and processing. This provides a faster, more efficient
method for cheque clearing. Each financial institution should consider the benefits of
image-based cheque clearing and include supporting technology investments into their
competitive strategy.
Financial institutions that continue to exclusively process paper cheques will be hindered
by geographical barriers and limited customer service improvements and will be subject
to unnecessary, anti-competitive overhead costs. Institutions that hesitate are at a
competitive disadvantage.
While the move to full cheque truncation via image exchange will require an initial
investment, the payback period is short and long-term benefits are significant. Financial
institutions that invest in cheque image exchange experience the following financial and
operational improvements：
1. Improved Clearing Times - Cheques enter the clearing process faster as electronic
images since physical transportation to a processing location is eliminated.
2. Reduced Expenses - Cheque electronification eliminates the need and associated

expenses of transporting paper cheques to processing sites and clearing houses.
Additionally, float expenses can be diminished

since there will no longer be collection delays caused by
transportatio' weather-related and law-and-order problems.
3. Reduced Overhead - Without paper cheques to process, many

overheac or infrastructure expenses - processing costs, human
resource expenses, and equipment expenses - are eliminated
and re-deployed.
4. Diminished Fraud Exposure - Faster clearing times will help

financial institutions reduce exposure to fraud.
5. Expanded Service - The potential extension of deposit deadlines

provides customers with better service and improved funds
availabil丨tv.
6. Enhanced Error Resolution - Processing problems, both with

individual! deposits or in full-scale contingency situations, can be
addressed, as images can be forwarded or restored at another
iocatioa^
7. Improved Customer Acquisition/Retention - A financial institution

th does not offer remote data capture or enhanced imaqe-based
prodし /services could lose business to their competitors,
potentially ris' their revenue and customer base.
The Benefits of As costs to process and transport paper cheques rise, all financial
institu: Cheque Image need to understand the dynamics of paper-based cheque
processing Exchange to implement image-based clearing solutions. Image-based
clearing is at the forefront due to the passage and implementation of the Check
sss.ro,
.)
Act in the USA.
Financial institutions must respond competitively to these

industry cha This response should begin with an assessment of
the costs and associated with continued paper cheque
processing, and consider fa such as：
1.Increased costs including clearing fees, infrastructure expe

transportation costs and float impacts.
2. Geographical barriers that remain between processing locations

branches.
3. Loss of existing and potential new customers due to the

compe edge gained by competitors that effectively dear all
items electro」 and offer enhanced customer services.
Trade organizations, service providers, vendors and consultants are h

resources for financial institutions developing cheque image exchange
strategies. Once the technology is in place, organizations must work to
educate customers, and if necessary, change their behavior to enable the
move toward image exchange. This includes explaining long-term benefits
and addressing concerns and misconceptions with a focus on：
■ Increased customer confidence in and dependence on convenient

cheque image exchange
■ Improved payments options and services for customers
■ Information security technology and consumer legal protections that

make image clearing safe and reliable and eliminate the need to
process original paper cheques.
Conclusion Cheques are the largest non-cash payment option in the world today and
remain a critical part of the payments system. All financial institutions
must prepare for cheque image exchange and remember the following：
The implementation of the Check 21 Act in October 2004 enables

movement to a more efficient cheque payment system through full
truncation via image exchange. The cost of processing a paper cheque is
rising dramatically. Declines in paper cheque volume are making paper
cheque processing more time intensive. Financial institutions that invest in
cheque image clearing ensure an efficient and effective cheque clearing
system for all.
Check 21 Act
The Cheque Clearing for the 21st Century Act (or Check 21 Act) is a US
Federal law that was enacted on October 28, 2003. The Check 21 Act took
effect one year later on October 28, 2004. The law allows the recipient of
the original paper cheque to create a digital version of the original
cheque (called a "Substitute cheque"), thereby eliminating the need for
further handling of the physical document. This makes cheque processing
faster and more efficient. It is designed to replace the old process
whereby banks must physically move original paper cheques from the
bank where the cheques are deposited to the bank that pays them,
transportation that can be inefficient and costly.
Under Check 21,banks can electronically transmit cheque images rather

than physically moving the original paper cheques between the receiving
and paying banks.
The process of removing the paper cheque from its processing flow is
called truncation. In truncation, both sides of the paper cheque are
scanned to produce a digital image. If a paper document is still needed,
these images are inserted into specially formatted documents containing a
photo-reduced copy of the original cheques called a "Substitute cheque".
A substitute cheque is a special paper copy of the front and back of an

original cheque. The substitute cheque may be slightly larger than the
original cheque. Substitute cheques are specially formatted so they can be
processed as if they were original cheques. The front of a substitute
cheque states： "This is a legal copy of your cheque. You can use it the
same way
g*ng Technology Trends in Financial Sector 177

Not ail copies of a cheque are substitute cheques. For example, pictures multiple
cheques printed on a page (also known as an image state that is sometimes returned
to account holders in some countries monthly statement are not substitute cheques.
Online cheque images photocopies of original cheques are not substitute cheques
Once a cheque is truncated, businesses and banks can work with ei digital image or a
print reproduction of it. Images can be exchanged member banks. Not all banks may
have the ability to receive image so there are companies who offer the service and
technical s.
Biometric ATMs Two important issues globally affecting commerce today are iden and
authentication of an individual. Identification says who the and authentication
specifies what can be done with that identity. B: may provide some of the
solutions in this regard to improving A biometric is a characteristic of a human
body such as a finge feature such as voice. Ideally, a biometric should be unique
and impossible for anyone else to copy or forge. There are currently alt different
kinds of biometric, all offering unique functions and Before being used, a user's
biometric trait must be "enrolled". Ths recording their biometric and then linking
it to their given ide~ enrolled, the system administrator will authenticate the
individua services.
Biometric characteristics can be divided into two main classes:

■ Physiological characteristics are related to the shape of Examples include,
but are not limited to, figure prints, face DNA, palm print, hand geometry,
iris recognition, which replaced retina, and odor/scent.
■ Behavioral characteristics are related to the behavior c'f Examples include,
but are not limited to, typing rhythm, voice. Some researchers have coined
the term behavion^ class of biometrics. Strictly speaking, voice is also a
phys: because every person has a different vocal tract, but voice is mainly
based on the study of the way a person speaks classified as behavioral.
Iris recognition has proven its capability in implementing rel security protocols in
various high risk sectors like aviation and defense. However, lately, due to falling
prices of iris found further application in the retail industry.
The banking and financial sector has adopted this system because of its robustness
and the advantages it provides n and making processes more streamlined. The
technology novelty, but, due to exigencies in the banking sector, decreasing profits,
increasing competition and mounting a it became a necessity. The use of biometric
ATMs based on r technology has gone a long way in improving customer a safe and
paperless banking environment.
Iris recognition technology captures the intricate iris patters of an iris scanning device.
This data is then digitized and sti
178
Technology Trends in Financial Sector
for future reference along with some other parameters like name and address. Iris data
is more reliable and durable because the iris is covered by a protective sheath which
protects
you wouldit use
fromthedamage. Due to this durability, an iris recognition system requires only
original cheque."
a single enrolment. Unlike fingerprints, the iris can be imaged from about 1 m away.
This is important as it ensures contactless and clean scanning. Yet, like fingerprints, iris
patterns are unique to individuals. Even identical twins don't have identical patterns nor
does one person's right and left eye. The patterns are stable throughout life.
Iris-based biometric ATMs are more secure than conventional pin-based ATMs because
they require biometric verification which cannot be stolen, copied or faked. Pin- based
security systems can be compromised, leading to losses for the consumer as well as the
bank. Also, customers find it very tedious to remember passwords and pin numbers；
moreover, the task of requesting a new set of passwords is itself fraught with endless
communication to and from the customer and the bank, leading to poor customer
experience.
Before the iris can be imaged, it has to be located in the face. Sensar, Inc. (USA) has
developed camera technology that first identifies the head, then the eyes, and then the
irises. The IriScan algorithm precisely locates the outer and inner borders of the iris, and
detects and excludes the eyelids if they cover part of the iris. The system uses a
mathematical technique called wavelet analysis to translate the image of the iris into a
512-byte pattern. This pattern is called the iris code. Once an iris code is prepared, the
algorithm compares a specific code against a group of codes previously stored in the
computer.
In different countries, biometrics technology (fingerprint authentication to be precise) has

been successfully used to combat ATM fraud. In developing countries such as Nigeria, according
to reports, ATM fraud seems to be committed by mostly individuals linked to bank
officers who are able to provide pin numbers and other relevant information required to
commit such crimes. With biometrics, such fraudulent incidents can be minimized, as an
added layer of authentication is now introduced that ensures that even with the correct
pin information and in possession of another person's ATM card, a fraudster wiii not be
able to withdraw any money since the biometric features of every individual are unique.
ATMs also use figure prints to authenticate a user. If iris scanning has attracted the
most attention, finger imaging, based on the long-established technology of
fingerprinting, is the most widespread biometric technology and the one favored by
most government agencies, in this approach, an individual places a finger on an optical
scanner, which scans in a digitized image of the person's fingerprint.
179 Information Technology in Financial Serves |

More recently, finger vein authentication technology is also becomig popuia*. This
technology has several important features that sets it apart from o forms of
biometrics as a highly secure and convenient means of person authentication. Some
reasons for its popularity are：
■ Resistant to criminal tampering: because veins are hidden inside body, there is
little risk of forgery or theft.
■ The FV pattern is inside the finger and cannot be acquired easily w' consent.
■ High accuracy.
■ Unique and constant： finger vein patterns are different, even a identical twins,
and remain constant through the adult ye
■ Contactless： the use of near-infrared light allows for non-inva,； contactless
imaging that ensures both convenience and deanl' for the user experience.
_ Ease of feature extraction： finger vein patterns are relatively and clearly
captured, enabling the use of low-「esolution came take vein images for
small-size, simple data image proces*
■ Fast authentication speed： one-to-one authentication takes less one second.
■ The authentication device can be compact due to the small fingers.
Stored Value Cards A stored value card refers to monetary value on a card not in an ext recorded
account and differs from prepaid cards where money is on J with the issuer
similar to a debit card. One major difference between value cards and prepaid
debit cards is that prepaid debit cards are issued in the name of individual
account holders, while stored value are usually anonymous/bearer.
The term "stored value ca「d〃 means that the funds and /or physically stored
on the card. With prepaid cards the data is maint computers affiliated with
the card issuer. The value associated card can be accessed using a magnetic
stripe embedded in the which the card number is encoded； using radio
frequency idenf (RFID) or keying in the card number on a POS system key
boa：
Stored value cards are one of the most dynamic and fastest growing j* in the
financial industry. Specific merchant's gift cards, prepaid t cards, prepaid debit
cards, government benefit cards are all exa stored value cards. Certain types
of these cards are being heavily to low-income consumers, especially the
unbanked. Although th may provide consumers with a more effective means
of access and making financial transactions than cash, consumers need to be
that these cards come with a vast array of features, fee structi levels of
consumer protections.
{ OEVALl
' 、 CfflD
PQC6

There are two main categories of stored value cards in the
marketplacThe first prepaid cards made available to the marketplace
were single-purpose or 'dosed-loop' cards. Gift cards, which can only
be used to purchase goods at particular retailers, and prepaid
telephone cards, which can only be used to make telephone calls, are
examples of single-purpose cards. The second type of card to emerge
was a multipurpose or 'open-loop' card, which can be used to make
debit transactions at a wide variety of retail locations, as well as for
other purposes. Some multipurpose cards are branded by Visa or
MasterCard and can be used wherever these brands are accepted.
Consumers obtain stored value cards in a variety of ways. They may

obtain a payroll card from an employer, an electronic benefit card
from a government agency, or a gift card from a retail store.
Among stored value cards, reloadable multipurpose cards most

closely resemble traditional deposit account debit cards in
functionality and are thus most likely to meet the needs of the
unbanked community. Consumers can not only use these cards to
make payments to a wide variety of merchants and service providers
(electric, phone, gas companies) but can also reload them with
additional funds. The ways in which cards can be reloaded vary but
may include direct deposit, money wire transfer, money order, or cash
presentment at designated retail locations such as convenience stores.
Given the wide range and complexity of card types and features,
consumers must weigh the benefits of these features against the
additional costs incurred. Cards that have relatively high fees in one
category often tend to have relatively low fees in another category；
for example, higher monthly fees are often associated with lower or
no transaction fees.
Other potential fees to look for include： transaction limit fee, bill
payment fee, reload fee, money transfer fee, out-of-network domestic
ATM transaction fee, inactivity fee, overdraft fee, payday advance fee,
credit-reporting fee, dispute resolution fee, etc.
Consumers should also pay attention to whether or not their financial

transactions generate dual or hidden fees. For example, while the
company offering the card may not charge a fee to the consumer for
reloading the card, there may be a charge from a third party, such as
a retail store or a check cashing business, that accepts and loads
these funds.
Stored value cards may not offer all of the consumer protections that
come with traditional checking accounts. Although a reloadable
multipurpose card may provide a level of functionality equal to or
better than a traditional checking account, not all cards offer the
consumer protections enjoyed when holding a traditional checking
account.
Summary during the recent past many technology-based functionalities have been
adopted in banks, especially regarding customer-facing operations.
This is done with the objective of providing better service, improving
asset efficiency, reducing cycle times and bringing efficiency in
general to all functions. Near field communication allow for simple
transactions, data exchange, and connections with a touch. Based on
inductive-coupling, NFC uses loosely coupled inductive circuits to
exchange power and/or data over a short
distance (usually about four centimeters).
Emerging NFC standards allow customers to quickly purchase products and

transfer secure information by touching devices. NFC allows companies to
reduce staffing, printing, and point of sale costs.
Contactless technology, an application of NFC technology, is fast gaining

popularity and is an easy way to complete a transaction quickly and securelv.
A micropayment is a financial transaction involving a very small sum of
money and usually one that occurs online. Micropayments were original •
envisioned to involve smaller sums of money. A micropayment system has
buyers, sellers, and a broker. Micropayment systems typically take the form of
either a stored value card or RFID key fobs, credit-based systems or account-
based systems.
Open source software can be used, modified and improved by anyone ar»c
can be redistributed freely. That is, open source software is made available
under a different type of license that allows users to use, copy, redistribute
and modify the source code.
The main benefits of open source software for most users are that there are
no restrictions on use, and that the software is usually free to acquire.
Programs can be installed on as many computers as required without cosliii
Check processing is experiencing a radical change as financial institu"' and

their customers now have new, more efficient ways to process clear checks.
Financial institutions need to develop and implement a c image clearing
strategy to remain competitive in the future. Financial institutions that invest
in check image exchange experience financial operational improvements
including improved clearing times, reduc expenses and overheads, diminished
fraud exposure, enhanced e「 resolution and improved customer
acquisition/retention.
A stored value card refers to monetary value on a card not in an ext

recorded account and differs from prepaid cards where money is on
with the issuer, similar to a debit card. One major difference between
value cards and prepaid debit cards is that prepaid debit cards are
issued in the name of individual account holders, while stored value
are usually anonymous/bearer.
Reference The chapter is developed using web resources at the following non-
Links exhaustive list of URLs：
■ http://ezinearticles.com/7Near-Field-Communication-
Technology：- A-New-Evolution!&id=6232795 (NFC)
■ http://www.finextra.com/community/fullblog.aspx7ich4301
(Contact-less)
■ http://www.dww.com/7page_id=1158 (micropayments)
■ http://www.aip.org/tip/INPHFA/vol-6/iss-1 /p20.pdf (Bio-metric
ATM)
■ http://EzineArtides.com/5270066 (Stored value)
■ http://www.ny.frb.org/regional/stored_value_car.dshtml (Stored
value)
■ http://opensourceschools.org.Uk/book/export/html/142 (Open source)
_ http://www.pcworld.com/businesscenter/article/209891 /
10_reasons_open_source_is_good_for_business.html (Open source)

Part 7： IT Policy in Financial
Institutions
In this part Importance of an organization-wide IT usage policy
r ^zmcy in Financial Institutions 184

IT Policy in Financial Institutions
Part Seven
• State the importance of an organization-wide IT usage policy _ List the
key components essential to an organization-wide IT policy
■ Describe the framework of an optimal IT policy
■ Define the types of user restrictions that can be implemented through
the IT policy
■ Discuss scheduled back-ups
■ Recall Antivirus safeguards
■ State the importance of data confidentiality
Organizational An organization's documented policies and procedures are

Policies and dynamic in that they must be continuously updated and constantly
Procedures refined. Perhaps no other single aspect of an entity more clearly
reflects its culture and philosophy than the body of written policies and
procedures by which it governs. While written policies are important for all
organizations, in banks and other financial institutions this need is even
more supreme. A bank must have standard policies and procedures for all
its functions including IT and data management. Organization- wide IT
policies are required to maintain consistency and reliability in operations
and for ensuring provision of customer services 24/7, while data
management policies are required to maintain data confidentiality and
integrity.
The direct approval of the top management is necessary. Ideally the

policies and procedures should be reviewed and approved by the
governing body such as the Board of Directors or a committee thereof.
This support from the top of the organization must also be clearly reflected
in the document itself.
Additionally, management must support the effort through "example". This

means that the policies and procedures must apply to everyone, regardless
of their position within the organization. If exceptions are to be allowed,
the exceptions should be stipulated in the policy and procedure document.
If a "perfect" policy and procedure document could ever exist, even it

would be of no value if the people subject to its contents and responsible
for its implementation and enforcement are not aware and committed.
Ownership is supreme. Traditionally, binders of printed documents were
reproduced and widely distributed so as to be accessible to the staff and
workforce. Today, fewer printed copies are prepared and there is a greater
reliance on electronic media. A best practice is for the IT department (other
departments also) to have its own website on the organization's intranet.
Among the many benefits of this is the ability to make the IT policies and

procedures (especially related to security maintenance) readily
aval for reviewing and downloading. Additionally, updating
becomes conv
The essential contents of the policies and procedures should also

be pr during employee orientations and included in an employee
hand Typical relevant documentation that exists in organizations
can be d as follows：
POLICY： The organization's stated objectives and the

requirements in terms. Policy also establishes departmental
responsibilities and coo interaction where issues may overlap.
Most importantly, it conveys a Policies address specific issues,
although the statements are usuall. broad and without detail.
STANDARDS： Standards establish minimum performance

parameters. are statements that are usually "actionable",
"measurable"こ "observable". Standards are more detailed than
policies, and can。广 the same as or similar to technical
specifications.
GUIDELINES： Policies and standards require writing in a very

precise? special way that avoids misunderstanding. Because it is
not a style that most people are accustomed to reading, some
helpful e notes can aid in comprehension. Guidelines serve this
purpose but "requirements" in themselves.
PROCEDURES： Procedures are directed at persons responsible for

taking under the various circumstances and conditions, or in
response tc events. These are very specific and step-by-step to
the extent of practical and reasonable. Where policies and
standards may apph enterprise-wide basis, there will always be a
large portion of the pr that must be specific to each individual
location or facility.
EMERGENCY PLANS： Generally, a given facility will have need

for emergency plans, each addressing specific events.
Emergency p! constructed - in part - so that they may be
referenced in real tinr>e an event.
IT policies The reliance on technology is increasing and in many cases, t

reliance is the life line of companies and organizations. This
d creates a substantial need for competent and trustworthy
IT staff formulated policies and SOPs (standard operating
procedures). But often, IT departments are neglected and
poorly financed. Keeping "on the level〃 is often expensive
and time-consuming. Fortune is a shift from the legacy
position and there is a greater appred in contemporary
organizations and IT is now being given its due
Computer hardware and networking infrastructure is the

main c in any enterprise architecture. The infrastructure
consists of the , where users enter their data, the cables that
transmit that data,
CPUs and sophisticated software that process it and the database
186 Information Technology in Financial Services |

it. This is only a basic example, but there is a lot of hardware and
that goes into operating a successful IT infrastructure. The IT staff
is i for developing and maintaining the network framework.
Another of IT is to offer systems support. To do this, staff must
be
knowledgeable in all software that will be utilized by the end users and elsewhere
in the organization.
IT policies and practices are the fundamental laws set by technology

administrators to create a logical set of instructions for dealing with real and
hypothetical situations on a network. The importance of policy and
implementation of policy cannot be stressed enough. It is the only way to stay
sane in the world of information technology.
Governance is a tool utilized by organizations to keep large groups of people

abreast of the state and function of information technology. IT was once a stand-
alone operation, a thug that had to strong-arm its users into acceptance of
security practices and various restricting policies. Governance allows a much more
democratic approach to running IT efficiently. Its primary function is to give non-
IT personnel a chance to weigh in and democratically decide what priorities and
standards IT will utilize. This removes one of the hardest tasks IT has to face：
compliance.
In many cases, IT is at the mercy of the compliance of the end-users. If a user

brings in a thumb-drive from home that is infected with a virus, the network is
compromised. If a user has the ability to download and install anything from the
internet, the network is compromised. If a user brings in a virus and that virus
corrupts the user's data and it is lost, IT is compromised. It's easy to see the
relationship between IT and the users that it serves. Compliance of policies is
extremely important. A policy would state something along these lines： "No user
may use a USB drive without prior authorization. To receive authorization, please
contact the IT staff. At this point, the IT staff member assigned to this task would
check the item for viruses and ensure that it is safe to connect to the network.
Policies and practices create secure networks and safe practices for users who
operate applications. Without the technology, firms are less productive and
without value. It is important to operate within guidelines and enforce IT
compliance. It is the only way to ensure that valuable resources will be there
when needed.
Many information and infrastructure usage policies fail because they do not
consider the importance of people as a key part of policy. It is not enough to
focus on information technology itself. Procedures must be created that respect
users and to some extent their convenience.
The core step to implementing a successful information / usage policy is ensuring

that staff members understand the steps they are taking as well as the reasons
for taking those steps. If the employees consider the information security / usage
policies as too restrictive, they will subvert the security system to ease their own
workflow.
Information technologies take many shapes in organizations and perform a

variety of functions ranging from support to operational to strategic. The IT policy
of a company may be subdivided into sub-policies for effective implementation.

Companies may have IT policies covering many domains or the comprehensive If
policy may comprise of a comprehensive framework. The policy framework should
clearly outline processes and procedures for the following areas：
_ Security Policies
■ Password Policy
■ Remote Access Policy
_ Internet Connection Policy
■ Approved Applications Policy
■ Mobile Computer Policy
_ Wireless Use Policy
■ Anti-Virus Policy
■ System Update Policy
■ User Privilege Policy
■ Intrusion Detection Policy
■ File Backup and Restore Policy
■ Data Protection and Privacy Policy
■ Software License Management Policy
■ Change Management Policy
■ Asset Management Policy
Additionally there may be policies such as：

■ IT Projects Prioritization Policy
■ IT Procurement Policy
■ IT Budgeting Policy
■ IT Human Resource / Career-path Policy
Acceptable Use Acceptable Use Policy (AUP, also sometimes known as Acceptable
Policy Policy or Fair Use Policy) is a set of rules applied by thow
manager/administrator of a computer system that restrict the
ways which the system may be used. AUP documents are written
for corpora " businesses, banks and other financial institutions
where the depend on technology is high. The purpose of the
acceptable use policy is to ol the acceptable use of computer
equipment. The rules are made to pr the employee and the
organization. Inappropriate use exposes the co「 to v\sks
\nc\ud\ng v\vus attacks, compTom'ise of network systems
and s and legal issues.
Acceptable Use Policies are an integral part of the framework of

infori security policies, it is often common practice to ask new
members of organization to sign an AUP before they are given
access to its inform-' systems. For this reason, an AUP must be
concise and dear, while at same time covering the most important
points about what users are are not allowed to do with the IT
systems of an organization. It should users to the more
comprehensive security policy where relevant. It s' also and very
notably define what sanctions will be applied if a user br the AUP.
Compliance with this policy should, as usual, be measured regular
audits.
IT Policy in Financial Institutions 188

MpimsSchool Oistrid'
Example of on AUP or Acceptable Use Summary
t W30/2QQ6
Use Sti« 漏?^
Privileges
The use cf schooi computers a a Is an imegfal p^t df the edu<a«onat pi rogram for il or
all Mutisms, Computer services p?o«l^ me4SKXUS. are not for pentoral private
use, ASO system a物inistrai£»s det®tuine ap{>rop(iac£ use aad access. Tteir decision is final, Stoder筋 have no exp仗laser* ^pmmcf
^têxxrom d被a. Bfmm Administrators monitor, tog, and may peview a鄉at 遂I fSes aad/or messages,
Ol^fcrJd ：RtsfK3«xsil>n)ty
The 森ipiie Seh^sti Dt^Het. taioes mmmsMmy va-y Strtd mcaswes^ suchi
嫌 its jilace m »iai ir^ppp@prt« is «ca 麵铉 _ iM studeitts.
1QS% I細.faet sêty is not qia&mmmd. a類！.織im 伽 Riacsit wKlcl? «iay ie ©fFenslve may stiH fee The «Js«nct provK^ fes sMe趣 smhtm fa Uasdle m&rn
sfftyattons,
Terms and Cotiîom tntlmks but am oot Smft»d to
Students _i
• oratiputer equlpntte ^ ws^ supervôn of lab iftstnjôr tst fecuty mcmb«r.
* inspect and follow computer dmr/ iser instr«dti©rES.
1
* Use computers to woric on 贫Pda!*ad as^grmMmfcs only,

姆她
• Immed'mtxiy report acd從燃a{ mcx&mt&u脑ulhodzed 織es.

,i_med!3be}y report eQ!itpme«l ta wtttibers.
* _师 u讀邮a 咖 mttm, mm m
• ¥®iWm basic net-eiiquetie a«rt M » f©@d stm.f(KKk c&m.
* &sgai够 inIllegal
Sfii__w_ 喊 krfcwlR_ yse sclKKi eqwpoftefit,. ©rfacH»s®5
activities defined m a #k>鏟愁or of kuM, stat^ aed/er federal laws.
；Saga供.in 油汰丨叫 activities \n mm isr紙.ims imûd«s 6ut 核嵙斑 so corfuj«ing,
• Aêss or distrtbuie pofnograî^
ctestraying, or manlpiâti轉 sp£es« <Ma or hanging oow|»■ぬsr oon%ur破kms.
* Eiase, expire, or reset Jnerao tsteSie, twe& page or HTtF
or S^reaseniig materials.
• om% Mlemily,
n history.
嫌瘰 mrnts iSeatly Of use urnmm^s 觀n獄y fftarry form trf ejectpeoic
げ給な助
communiciackjtt.
• _ lug ©opyi^ht or tect_J_ _Ms*
Csmfminkate with vttfgar^ er yiwsatieni啤 iaûage^. grafîics, or artwork*
誠減扭
• Um M Inâni
• Htidpafia: in eieccrofttc ^ste§.
政
«集後減 ad_t 卿俯
• S_:賺 ss.』e_ls»
Nott-pislrfeS, iqt^ment A sfedeM iiftay brtn^ in pcrscRaf txm^MwQ -eotnSperê
• TM助d挪 is sponsored a f&&Mgtmmim.
： oi^y undef _e feH髓in§ coftdHti«is.
•• Tm
Tiie equipment is regisfcefed witii 說 sft-sae computer i»chaicia«,
distri^ pftivided artti-vbiis ssftâm and personal is snsMed.
PKJter Personal equipment fails ufi^r tM same rules as disme 侧關^1 equipment.
rm Mi d縱net pîcy is found at:
In some cases, AUP documents are also named Internet and E-mail policy, Internet
AUP, or Network AUP and also Acceptable IT Use Policy. These documents, even
though named differently, largely provide policy statements as to what behavior is
acceptable from the users when utilizing the company's IT infrastructure.
The most important part of an AUP document is the code of conduct governing the
behavior of a user whilst connected to the network/Internet. The code of conduct
may include some description of what may be called netiquette (the correct or
acceptable way of communicating on the Internet) which includes such items of
conduct as using appropriate/polite language while online, avoiding illegal activities,
ensuring that activities the user may embark on should not disturb or disrupt any
other user on the system, and caution not to reveal personal information that could
be the cause of identity theft.
Most AUP statements outline consequences of violating the policy. Such violations are
met with consequences depending on the gravity of breach. Employers will at times
withdraw the service from employees, although a more common action is to
terminate employment when violations may be hurting the employer in some way, or
may compromise security.
User Privilege Policy Network administrators, IT managers and security professionals are not only
aware but concerned about the damage a typical end user can cause on the network,
accidently or deliberately. It has been proven over and over again that most attacks
come from within the bounds of the firewall performed by employees and authorized
users. That's why it has become

so important to define usage rights and privileges of the users res them from
performing actions that may cause harm to the corp infrastructure. A solution to
these concerns is the enforcement of Principle of Least Privileges (PLP). The
principle of least privilege is known as the principle of minimal privilege or just
least privilege an»c as the principle of least authority. The Principle of Least
Privilege is new concept, but the push to implement it on production network
never been so important.
As already stated, the importance of the principle of least privilege grown in recent
years, that is after the increased dependence of co on IT and as companies
scrambled to protect network assets and re The idea behind this principle is that if
the users can be limited with abilities, then their scope of damage can be limited
and hopefully The objective is to give users only the access and privileges they
complete their duties and assignments. What is not desired is to give much and
unnecessary access to users, especially administrative
This means giving a user only those privileges which are essential his/her work. For
example, a backup user does not need to install so hence the backup user has
rights only to run backup and backup-r applications. Any other privileges like
installing software etc. are b Employees working at different levels and functions
are assigned and privileges based on their job responsibilities. Users may be alio
not allowed to use the Internet, the rights to use secondary remc media may be
revoked and only specific fields of a database may be v to different users. Rights
and privileges are generally determined a—! approved by the Management in
consultation with the HR departmer: finally implemented technically by the IT
function.
This policy (The Principle of Least Privileges) is designed to minimize to

organizational resources and data by establishing the privileges of of data and
equipment on the network to the minimum allowable still allowing users to
perform job functions without undue inconven'
The principle of least privilege is widely recognized as an important consideration

in enhancing the protection of data and functionality faults and malicious behavior.
Least privilege is often associated privilege bracketing, that is, assuming necessary
privileges at the possible moment and dismissing them as soon as no longer
strictly nec
Based on the PLP, three main categories of users may be defined computer or
network. These categories include：
1. Restricted user - Can operate the computer and save documents can't save
system settings, (routine user)
2. Standard user (power user) - Can change many system settings install
programs that don't affect operating system
3. Administrators - Have complete access to read and write any the system
and add or remove any programs or change system
The majority of users on most common networks should be restricted on their local
computers. Only users with special training or a neec additional access should be
allowed to change system settings and
programs that are not operating system programs. This is because
many viruses and adware or spyware may be installed in a subtle
manner by tricking the user or the installation may be completely
transparent to the computer user. If the user does not have the ability

to install programs or change settings to a more vulnerable setting,
most of these potential security problems can be prevented.
Data Backup Backup, or the process of backing up, is making and keeping copies of
data which may be used to restore the original after a data loss event.
Backups have two distinct purposes. The primary purpose is to

recover data after its loss, be it by data deletion or corruption. Data
loss is a very common experience of computer users. The secondary
purpose of backups is to recover data from an earlier time, according
to a user-defined data retention policy, typically configured within a
backup application for how long copies of data are required to be
kept.
A Data Retention Policy describes how an organization's documents

must be retained. These documents (electronic or paper) include
business documents, insurance documents, finance documents,
regulatory documents, securities documents, employee and customer
documents, etc. It’s a subject that many IT professionals are typically
uncomfortable with and prefer to avoid. Decisions around what data
is deleted can in fact have serious legal implications. On the other
hand, the absence of decisive actions regarding data retention can
also become costly in terms of storage, and can also have some legal
implications.
There are essentially three main objectives in developing an electronic

data retention policy, which can be summarized as follows：
■ To keep important records and documents for future use or reference.

■ To dispose off records or documents no longer needed.
■ To organize records so they can be searched and accessed at a later date.
When further analyzing the above list, it is obvious that the first point
is the main reason why data is kept. However, the second bullet point
is why a policy is needed - organizations don't necessarily want to
keep everything indefinitely if they don't have to. The objectives of a
data retention policy are straightforward： cost savings through data
storage reduction, simplified, less expensive data management, and
regulatory compliance.
Though backups popularly represent a simple form of disaster

recovery, and should be part of a disaster recovery plan, by
themselves, backups should not be considered alone in disaster
recovery. Not all backup systems and/or backup applications are able
to reconstitute a computer system, or in turn other complex
configurations such as a computer cluster, or a database server, by
restoring only data from a backup.
Since a backup system contains at least one copy of all data worth
saving, the data storage requirements are considerable. Organizing this storage
space and managing the backup process is a complicated undertaking.
In the modern era of computing there are many different types of
data storage devices that are useful for making backups. There are
also many different ways in which these devices can be arranged to
provide geographic

Before data is sent to its storage location, it is selected, e
manipulated. Many different techniques have been developed :: the
backup procedure. These include compression, encryptiont
duplication, among others. It is also important to recognize the and
human factors involved in any backup scheme.
Backups may be performed manually or can be automatic

Scheduled backups are data backup processes which proceed au
on a scheduled basis (day： time) without additional computet
intervention. The advantage of using scheduled backups insteaこ:r
backups is that a backup process can be run during off-peak
he— data is unlikely to be accessed, reducing the impact of
backup downtime.
Scheduled backups running as part of an agent less backup s

administrative labor by performing data backup for an unlimited of
machines. Scheduled backups for organizations using remote
backup usually transfer data incrementally, instead of perfo「一 data
backup each time a backup is scheduled. Additionally, a backup
system can notify a backup administrator upon comple backup data
transfer.
Because scheduled backups run automatically without interven data

backup service providers include features like autonomic ser (ability
of identification and correction of errors) of backup data t; data
transfer following an interruption while repairing aru inconsistencies
or errors caused by a lapse in connectivity.
Data Backup Policies Backup policies are a crucial component in an organization's overal
recovery planning and strategic implementation. As a result, back印
processes, procedures and strategies have a direct bearing upon
and completeness by which a business recovers from a major c and
thereby ultimately determine the organization's capability t_- the
event and then move forward to rapidly return to pre-catastr or
above.
Backing up is generally performed based on SOPs and according

schedule. The frequency needs to be determined with a lot of care
diligence as it may have a profound impact on company perfor
frequency, in addition to other factors, also depends on the imp
criticality of the data to the organization. If the data is very criで：
backups must be taken more frequently. In some cases while the is
being taken, the system may not be available for processing or
degraded in performance, therefore timing of the backup activity，
be determined with a lot of care.
Components of Important components that need to be included in a business's
Backup Policy policies to ensure that the data is secure and available are：
Overview - Outlines exactly what is to be backed up and how.
Purpose - States the intended purpose(s) of having a backup poiin
first piace, for example： to ensure that data is recoverable in the
evem emergency such as terrorist activities, severe weather, server
failure
redundancy, data security, and portability.
Capacity - Details of exactly what systems and components are to be
included in the backup regimes (e.g. laptops, rented machines, home,
shop, or just company assets). Location details will be included in this
section of the backup policy. What data and data sources will be
included as well as where the backups are going to be stored.
Definitions - Highly trained computer-aware technical experts are not
the only ones that will need to use this backup policy, so it is
important that technical terminology is clearly stated and defined in
order to eliminate misunderstandings and misconceptions.
Frequency - List the type of backup and when will it occur. For
example： full backups will be conducted every Saturday at 10 PM
while incremental backups will take place every other day at 4 PM.
Users will need to be made aware of the time by which any data they
require to be backed up is copied to the appropriate machine ready
for the backup.
Media Rotation - Define the types of media to be used and if any
media are to be overwritten. The specifics of media rotation and
overwriting will be detailed in the media rotation section of a backup
policy. Testing - Details of when testing to ensure that all goes
according to plan is to take place and the details of testing.
Responsibility - Who is responsible for the confidentiality, integrity
and accessibility of the backup regime? Who is to perform the backup
procedures? All personnel involved in the backup processes will need
to have a cleariy defined role. Use sign-off sheets and checklists to
ensure that nothing is inadvertently overlooked.
Data - Define precisely what data is to be backed up. This will include
workstations, servers, networking devices, etc.
Regulatory Reauiremersts - Many new legislative acts require
businesses to keep their backups for a set number of years. Ensure all
pertinent information pertaining to these backups is stated in the
policy.
Storage - Detail the data and backup storage locations, parameters
and authorized accessibility. Detail also tne procedures for retrieval of
backed- up data and backup media in storage. Ensure that all
backups and data are stored in at least two separate locations. Ideally
at least one location should be off-site.
Data Confidentiality Data confidentiality is a security principle that ensures data privacy on
the network system. It ensures that the data will be kept secret ana
will be accessed only by limited authorized users, it prohibits
eavesdropping by unauthorized users. Confidentiality of data has also
been defined by the International Organization for Standardization
(ISO) in ISO-17799 as "ensuring that information is accessible only to
the authorized users". Also confidentiality comprises a set of rules
that limits access or places restrictions on certain types of
information.
Confidential information must only be accessed, used, copied, or
disclosed by users who have been authorized, and only when there is
a genuine need. A confidentiality breach occurs when information or
information systems have been, or may have been, accessed, used,
copied, or disclosed, or by someone who was not authorized to have
access to the information.
Data confidentially refers to the attempt to keep information away
from unauthorized people or systems. All information has a reliability
or confidentiality level. Data can be labeled in a wide range from
being available and open to the public, i.e. newspapers and non-
secure weB pages, to sensitive compartmental information. For
Information Assurance (IA), confidentiality- refers to the steps taken to
ensure that confidential
Information Technology in Financial Services | Refer
information is only accessed or disclosed to people who have been
authorized.
If sensitive data is lost or damaged, the cost can be devastating to a
business due to lawsuits, loss of business, or regulatory fines. Business
espionage can result in considerable loss of money. When businesses
attempt to gain confidential information about another company, it is
usually for finarvdal gain. These businesses can use the information to
sell or trade a prodtc! for the purpose of introducing themselves into
that part of the market Corporate espionage is the art of
circumventing the confidentiality df business data. Billions of dollars of
losses are realized each year because sensitive data was not able to
be kept confidential.
The concept of confidentiality of data seems to be the one piece
Information Assurance that is the easiest to fail. With all the
technolc^ protection in place to determine the integrity of data in
transit or availability of the data at rest, it can all be circumvented
if a single with authorized access does not treat the data with due
car
Anti-virus Policy Proliferation and technology ubiquity has greatly increased the
risks accidents and disasters. Businesses are ever more dependent
on di ' technology today than they ever were. Viruses, worms and
other mal are threatening the availability, reliability and integrity of
computer syst Networks of networks have worsened the situation
in this regard. Vi are not confined to standalone PCs but travel to
other networks connected computers at lightning speeds, making
digital protection daunting challenge. Organizations need to be
prepared. One prepara^ is to develop a comprehensive anti-virus
policy. Such policies are vital all organizations but more so for
banks and other financial institirr considering the volume and
sensitivity of data stored.
The anti-virus policy document should describe the measures taken
by organization to protect its systems against viruses, trojans and
other mah- Also to be included are descriptions of the
responsibilities of individr user departments and the IT function to
ensure that the informations communication technology
infrastructure is protected by effective anti』 systems.
All systems vulnerable to attack by malware must be protected
by virus software wherever possible, unless a specific exclusion
has granted and alternative measures have been taken to
provide the degree of protection.
A virus is a piece of self-replicating code, most often a malicious so
program, designed to destroy or corrupt information or adversely ii
the usage of IT systems. Some viruses cause no damage apart 1
reproducing, but a significant number are specifically designed to c
data loss, compromise the confidentiality of files or disrupt ne*
functioning.
Potential sources of viruses include shared media such as floppy
disks, ROMs or USB memory sticks, electronic mail (including, but
not limite: files attached to messages), malicious code embedded
in web sites software or documents copied over networks such as
the internal ne[ or the Internet.
A virus infection is almost always costly to the company whether
thu the loss of data (possibly permanent), staff time to recover a
syst the delay of important work. Also viruses spread from the
company potentially lead to serious issues of damage to
reputation and pi litigation as well as the staff effort necessary
for investigation and r
The anti-virus policy applies to all computers that are connected
company's network via a standard network connection, wireless
m Information Technology in Financial Services | Reference Book 2

マj
conr modem connection, or virtual private network connection.
This '

both company-owned computers and personally-owned computers
attached to the official network, including those connected from
home. All employees, customers, business partners including
outsourcing partners, vendors and suppliers, etc are subject to this
policy and required to abide by it.
An anti-virus policy highlights the good practices for virus protection
and what role end users can play in helping the organization in
effective implementation of polices in tnis regard. Tne policy
document also lists the responsibilities of the IT department and
general management.
Best Practices for Virus Prevention in Organizations:
1. Always run the standard (particular brand) anti-virus software
officially provided.
2. Never open files or macros attached to an e-mail from an
unknown, suspicious, or untrustworthy source.
3. Never open files or macros attached to an e-mail from a known
source (even a coworker) if not expecting a specific attachment
from that source.
4. Be suspicious of e-mail messages containing links to unknown
Web sites. It is possible that the linR is a malicious executable
(.exe) file disguised as a link.
5. Users should not alter the default e-mail client configuration to
override the security setup and send/receive banned extensions.
6. Never copy, download, or install files from unknown, suspicious, or
untrustworthy sources or removable media.
7. Avoid direct disk sharing with read/write access. Always scan any
removable media for viruses before using it.
8. If instructed to delete e-mail messages believed to contain a virus,
be sure to also delete the message from Deleted Items or Trash
folder.
9. Back up critical data and systems configurations on a regular basis
and store backups in a safe place (even when backup is done at
organizational level).
10. Regularly update virus protection on personally-owned home
computers that are used for business purposes. This includes
installing recommended security patches for the operating
system and other applications that are in use.
Responsibilities of Computing and Networking Services
The CNS (this department/function may have different names in
different organizations) is responsible for maintaining and updating
the Anti-Virus Policy. Copies of this policy are posted on the official
web site or IT department website.
CNS is responsible for keeping the anti-virus products up-to-date in

terms of both virus definitions and software version in use. The
company's IT department must check the anti-virus website for
regular updates and patches etc.
Installing anti-virus software on all company-owned and installed

desktop workstations, laptops, and servers.
Assist employees in installing anti-virus software according to

standards on personally-owned computers that will be used for
business purposes (mostly assistance only, anti-virus software may or
may not be provided for personal computers).
CNS will take appropriate action to contain, remove, and assist in

recovery from virus infections. In order to do so, it：
■ May be required to disconnect a suspect computer from the
network or disconnect an entire segment of the network.

■ Will perform regular anti-virus sweeps on all company-managed
and active computers following a pre-announced schedule, e.g.
every first Tuesday of the month.
■ Will notify users of any credible virus threats via e-mail and online
bulletin.
■ Conduct in-house training and awareness campaigns to develop

understanding and compliance motivation in all users, especially
non- IT people.
Summary While written policies are important for all organizations, in banks and
other financial institutions this need is even more vital. A bank must
have organization-wide standard policies and procedures for all its
functions including IT and data management. Typical relevant
documentation that should exist in organizations includes policies,
standards, guidelines and procedures.
The reliance on technology has increased, and in many cases, IT has

become the life line of companies and organizations. This
dependency creates a substantial need for well-formulated policies
and standard operating procedures.
Many information and infrastructure usage policies fail because

they not consider the importance of people as a key part of
policy. Proced must be created that respect users and to some
extent their convenie
Acceptable use policy (AUP) is a set of rules applied by

owner/manager/administrator of a computer system that restrict
the in which the system may be used. AUPs are made to protect
the enrr and the organization. Inappropriate use exposes the
company to including virus attacks, compromise of network
systems and services, legal issues.
The assignment of rights and privileges has remained a complex

is solution to these concerns is the enforcement of the Principle
of b Privileges (PLP). This principle is designed to minimize risk to
organiza" resources and data by establishing the privileges of
users for data equipment on the network to the minimum
allowable while still al users to perform job functions without
undue inconvenience.
Backup policies are also a crucial component in an organization's

disaster recovery planning and strategic implementation. Backing
generally performed based on SOPs and according to some
sched frequency needs to be determined with a lot of care and
due dili it may have a profound impact on company performance.
Data confidentiality is a security principle that ensures data

privacy network system. It ensures that the data will be kept
secret and accessed only by limited authorized users.
Yet another important policy is regarding prevention against malware. The anti-virus policy
document describes the measures taken by the organization to protect its systems

against viruses, Trojans and other malware. It also describes the responsibilities of
individuals, user departments and the IT function to ensure that the information
and communication technology infrastructure is protected by effective anti-virus
systems.
Part 8: IT Vendor Services
In this part IT Vendor Services

!!!!_ _______ IT Vendor Services
■ Discuss the concept of outsourcing and in-sourcing
■ Define managed services and discuss how and where these
services can be used
■ Discuss third party systems/servers and list the advantages of

their usage in banks
Outsourcing Globalization has augmented the level of competition to a great extent.

Organizations need to be highly flexible and immediately responsive to
customer and market demands. Businesses need a new set of
competencies to remain competitive. However, these capabilities cannot
be acquired cost- effectively in traditional ways. There is a need to go
beyond and leverage alternative solution deployment and service
delivery models and operate according to a network-based business
model. However, there is no single right model. Each business is different
and unique and so are its capability needs. Each business needs to have
its own model, but this is not always easy to achieve. There are many
threats along the way, and businesses need to ensure that they do not
ignore the risks in order to be successful. The most popular and practical
way to achieve the required capabilities in a cost- effective and timely
manner is to source them from outside. Outsourcing occurs when one
company contracts with another company to provide services that might
otherwise be performed by in-house employees. Almost every
organization outsources in some way. Typically, the function being
outsourced is considered non-core to the business. Many large
companies now outsource jobs such as call center services, e-mail
services, and payroll, etc. In fact, all tasks other than the company's core
competencies are possible contenders for outsourcing. These jobs are
handled by separate companies that specialize in each service, and may
be located in another country or even continent.
There are many reasons that companies outsource various jobs, but the
most noticeable advantage seems to be the fact that it often saves
money. Many of the companies that provide outsourcing services are
able to do the work for considerably less money, as they have lean
structures and fewer overhead expenses to worry about. The outsourcing
firms are therefore able to operate on lower costs because of economies
of scale. Outsourcing also allows companies to focus on other more
important business issues while having the details taken care of by
outside experts. This means that a large amount of time, resources and
attention, which might fall on the shoulders of in-house professionals,
can be used for more important, broader and strategic issues within the
company. The specialized company that handles the outsourced work is
often streamlined, with first-rate capabilities and access to new
technology that a company could not afford to buy on its own. In
addition, if a company is looking to expand, outsourcing is a cost-
effective way to start building foundations in other countries.
F lendor Services 199

Opponents of outsourcing highlight some disadvantages. One of these
is that outsourcing often eliminates direct communication between a
company and its customers. This prevents a company from building firm
relationships with their customers, and often leads to discontent on one
or both sides. There is also the danger of not being able to control
some aspects of the company, as outsourcing may lead to tardy
communications and project implementation. Any sensitive information
is more vulnerable, and a company may become very dependent upon
it's outsource providers, which could lead to problems if the outsource
provider backs out of their contract abruptly.
Outsourcing Benefits There are numerous benefits of outsourcing making it a very deliberate
business practice. Outsourcing is not just about saving on costs but
bringing the company long term success and opportunities for growth.
Here are some of the benefits of outsourcing. They depend, of course,
upon the nature and situation of the organization and market forces.
1. The cost advantage
As mentioned earlier, the greatest advantage of outsourcing stems from
the extra savings a company can enjoy. If the same service can be
provided at the same or better level of quality by another firm but for a
much lower cost, then any company will have every motive to outsource.
For example, in a financial institute, services such as call center and
customer service, medical billing, transcription, etc. can sometimes help
save on 60% of total costs in specific areas.
2. Increase in business, productivity and efficiency
Outsourcing can offer companies vast growth in terms of productivity,
profits, level of quality, business performance, business value, and so on.
Companies that handle everything in-house have to spend additional
funds on research, marketing and development, customer service, etc.
However, outsourcing some procedures will allow the company and
employees to concentrate on the core activities of business without
compromise of the other, less important processes. This increase in
emphasis on core tasks will subsequently lead to increase in efficiency
and productivity.
3. Reduce labor and infrastructure costs
Outsourcing can save a lot in terms of effort, infrastructure and labor
costs* Hiring staff and training them for peripheral or short-term
projects can be expensive. Firms also have to invest in fixed investments
and infrastructure costs have amplified uncontrollably. It can also take
some time before new employees are trained and can start working on
the project or the infrastructure to be completed. However, outsourcing
can save the company from the burdens of manpower and
infrastructure. Instead, it can focus al its human resources and
infrastructure where and when they are most efficient, and are most
needed. The project can also start as soon as possible as capabilities are
not needed to be developed but sourced from outside. All this should
result in positive cash flows.
4. Access to specialized services
Outsourcing permits companies to take benefit of the services of ex
and experienced professionals who specialize in specific business
pracS Their experience will allow them to provide services at a level
of effici than firms and their existing manpower could achieve.

5. Faster deliveries and improved customer satisfaction
Outsourcing partners usually make faster deliveries and provide high-
quality services as long as there are specific service quality and service
level agreements in place. (Service level agreements are discussed in
more detail later.) This can save the client company time and promote
customer satisfaction, trust and loyalty.
6. A competitive edge for the business
Outsourcing can help a company to gain an advantage over competing
businesses. Small companies especially cannot afford to fund the level
of support needed to stay ahead of the competition that many large
companies can maintain. However, outsourcing has removed this
disparity and now even small companies can outsource and enjoy the
same efficiency, economies of scale, and expertise as large corporations.
7. Turn fixed costs into variable costs
A firm may have inconsistent infrastructure and human resources
requirements. However, it has to plan for the peak requirements and
therefore may find its infrastructure and HR underutilized during the
lean periods. Outsourcing takes care of such situations and the client is
responsible for paying its outsourcing partner for only the services it has
utilized.
Following is a list of some more common reasons why outsourcing is

generally undertaken：
■ Greater flexibility and ability to define the requisite service more
readily
■ Specific supplier benefits, such as better security, continuity, etc.
■ Acquisition of industry best practice
_ Improve risk management and mitigation
* Acquire innovative ideas and concepts
謹 Increase commitment and energy in non-core areas
■ Improve credibility and image by associating with superior providers
■ Generate cash by transferring assets to the provider (in some
situations)
■ Gain market access and business opportunities through the supplier's
network
_ Higher quality service due to focus and expertise of the supplier
■ Less dependency upon internal resources
_ Faster set-up of the function or/and service
■ Lower investment required in internal infrastructure
_ Greater ability to control delivery dates (e.g. via penalty clauses)
• Increased flexibility to meet changing business circumstances
Mine Outsourcing A relatively new concept is online outsourcing, which has become
popular with the ubiquity of the Internet. Online outsourcing is a
method by which companies can increase profit margins and sometimes
keep more workers employed at the same or even less cost.
Homeshoring, for example, is the process of hiring a third party
contractor (mostly an individual) who works from home to carry out
business processes. The employee can carry out tasks such as
processing customer service calls, invoicing customers, proofreading and
editing, marketing, or other more technical tasks such as software and
website development. In turn, the company may pay the home working
employee a lower rate than a permanent on-site employee and will
often save on costs by not providing that employee with health
tnsurance or other benefits. The employee often saves money by not
having

to travel to an office, and studies have shown that many workers are
much more productive when working from home.
Many labor groups and other organizations working for workers'

rights are critical of online outsourcing. Some companies outsource
technical jobs to foreign countries, which is viewed as taking jobs
away from local workers. Companies may pay technical employees a
much lower wage than workers in their home country, and view this
as a way to cut costs and increase profits. For example, many software
development companies in Europe and the U.S.A. use online
outsourcing to hire individual developers or software houses in South
Asian countries； workers there are able to perform the same tasks for
much lower salaries.
Outsourcing Challenges As companies evaluate their outsourcing choices, they need to keep in
mind that there are challenges of outsourcing and if these challenges
outweigh the advantages of outsourcing, then firms should avoid
availing these options.
1. Loss of Managerial Control

Whether a business contracts another company to perform the
function oil an entire department or a single task, the former is
handing the managemert; and control of that function over to the
latter company. True, there w丨.t j contract, but the managerial control
will now probably belong to company responsible for performing the
outsourced task. The outsourc company may not be driven by the
same standards and mission that i the client company. They will
instead be driven to make a profit from services that they are providing
to their clients.
2. Hidden Costs
The client firm signs a contract with the outsourcing company
coverir>g t details of the services provided. Anything not covered in
the contract be the basis on which to pay additional charges when
additional s€ are required. Additionally, there will be legal fees to
retain lawyoe review the signed contracts. Contract writing is generally
the respor of the outsourcing firm, and as they are experienced in
doing this, companies may be at a disadvantage.
3. Threat to Security and Confidentiality
Data is an invaluable asset for any organization which must be
safe If the client company has payroll, medical records or any
other conf information that will be transferred to the
outsourcing company, a risk that confidentiality may be
compromised. If the outsourced involves sharing proprietary
company data or knowledge (e.g. drawings, formulas, etc.) all
necessary security measures should be I The outsourcing
company must be appraised carefully to make data is protected
and the contracts have appropriate penalty untoward incidents
occur.
4. Quality Problems
The outsourcing company is likely to be driven by profit-making
There may not be one-to-one correspondence between
outsourcing | on quality issues. Since the contract will fix the
price, the only' outsourcing companies to increase profit will be
to decrease ej long as they meet the conditions of the contract,
the client firm Generally the outsourcing firm will be motivated
to maintain
Services 202
quality standards. In addition, the client firm will lose the ability to
rapidly respond and react to changes in the business environment.
5. Tied to the Financial Well-Being of another Company
Since the client firm will be turning over part of their business operations
to another company (although non-core activities), it will now be tied to
the financial well-being of that company. It is not uncommon for an
outsourcing company to go bankrupt and leave its clients in financial
disorder.
6. Bad Publicity and Ill-Will
The word "outsourcing" brings to mind different things to different
people. Most people have heard of job cuts resulting from outsourcing
operations. In many situations, morale may suffer in the work force of
the client company which may lead to serious performance problems.
Proactive change management must be carried out to handle human
resource issues associated with outsourcing.
Why Outsourcing One of the biggest challenges involved in an outsourcing initiative is

Fails how to mitigate the risk of failure. Both buyers and providers face
vulnerabilities and significant chances of (a) parting amicably but without
having achieved their objectives, (b) encountering difficulties that result
in contract renegotiation, or (c) prematurely ending their arrangement in
a hostile manner.
The probabilities of being tangled in an outsourcing failure have not

diminished, even though outsourcing has significantly matured. Despite
the abundance of educational resources and advice from industry experts
and outsourcing relationship participants proclaiming "keys to success"
and "warning of pitfalls", failures tend to be a reality.
Conservatively, 25 percent of all outsourcing fails completely and over

50% of all outsource deals do not deliver any substantive benefit at all.
Outsourcing failures are often the result of companies rushing into
relations with unrealistic or unsubstantiated expectations of cost savings
and performance improvements that cannot be met because the client
does not communicate its requirements in a clear way to the potential
vendors. The outsourcing of many business processes besides IT also has
the same less-than-expected results.
驟 Buyer's unncleiar e^pecisllons up eront m Intere^s Isecome mlsal8g*»ed ov«r

_ f»oorgo¥«ms»ic« & Hot k«mflcial
m mother
m p&m Poor 饿
m m鋼卸 !êr
『tend or Services 203

Vendor Services
The main causes of failure of outsourcing are:
■ The buyer's unclear expectations up front as to its objectives -
poortf defined objectives and requirements and a lack of
outsourcing contradl management capability are two of the top
reasons for IT outsourcing failures.
_ The parties' interests may be aligned at the start but become
misafignei as the buyer's business environment or needs change
over time (as they will inevitably) mostly as a result of new
technologies or changed business circumstances.
■ The provider's poor performance against service level
agreements which in some cases is dramatic despite severe
penalty claus
■ The parties do not consider each other's interests to ensure f
relationship is mutually beneficial - the conflicting objectives of
parties and the need for vendors to make money are often not
re internalized by clients. Both parties fail to install a win-win
relatic
■ Poor governance structure for managing the ongoing
relationship some cases this is left just to account
management. A mult卜！€ vendor-dient interface is needed.
There must be constant communr at the policy level as well as
the operational levels.
_ Poor cultural fit compatibility of the parties - the client and vent
徽狄说成、獄 s滅福肥 . risk-taking and other risk-averse, for
example.
■ Poor communication； the parties do not proactively share
necc information with each other - the relationship deteriorates
when information is hidden. This may happen if the client' does
not trust its outsourcing partner.
Additionally, there have been several instances of buyers and

ou! in direct conflict and not inclined to acknowledge their
contrit outsourcing failures. Hidden costs, high staff turnover
and poor cross communications are also some of the key
causes of offshore 01 failures.
Insourcing and Insourcing is sometimes considered the opposite of

Regional Insourcing outsourcing； there are several definitions that suggest that
it is not. Insoui contracting in) is often defined as the
delegation of operations or. within a business to an internal
(but 'stand-alone') entity that in that operation. Insourcing is
a business decision that is often maintain control of critical
production or competencies. An alte of the term implies
transferring jobs to within the country where is used, by
hiring local subcontractors, hence the term insourcing, f this
implication of insourcing is not too popular.
The sort of insourcing that represents almost an opposite form

of1 may be the most common definition. This is when
companies look group of employees to find those who may be
tapped to do certain tasks. Companies may offer such
employees extra training of UL merely locate in-house
employees that already possess the stalls. ^ on the specialty
work.
This form of insourcing has become fairly common as a more*"

practice. Hiring new employees can take considerable funds,
able to redirect a current employee to new work can be much i

if there is financial outlay for special training etc., a business
may
Vendor Services
money, and it doesn't have the negative implications associated with
many forms of outsourcing. Some companies practice this regularly
and claim to always promote from within, which can be an attractive
point for employees looking for opportunities to advance in their
careers to stay with the same firm.
An associated trend is regional insourcing which is a process in which

a company establishes satellite locations for specific entities of their
business at sites that are away from their headquarters. Through this
process, companies can take advantage of the benefits one site may
have over another (i.e. taxes, raw material availability, or workforce
skills). In regional in-sourcing, companies create separate entities for
specific tasks, but rather than these operations being performed under
the same roof, they are undertaken in an environment that is far more
suitable for their specific purpose.
Outsourcing vs. If an organization has a number of non-core processes which are
Insourcing vs. taking plenty of time, effort and resources to perform them in-house,
Co-sourcing it would be sensible to outsource these non-core functions.
Outsourcing, in this case, would help save on time, effort, manpower
and would also aid in making quicker deliveries to customers. Similarly,
if a company requires expert services in areas which do not fall under
the core competency, then outsourcing again will be a good option as the
business can get access to expert services.
However, if the work involves production and requires tight control,
then it would be more ideal for the organization to opt for insourcing, as this can
save on transportation costs and exercise better control over the
project. Similarly if a firm has sensitive proprietary data they don't
prefer to transfer to an outside agency, insourcing can be
considered.
The bottom-line is that it is not necessary to choose outsourcing

over insourcing or vice versa. An organization can outsource and
insource at the same time. By outsourcing and insourcing
simultaneously, it can have the best of what both offer and the
business can gain a competitive advantage.
Co-sourcing is a business practice where a service is performed by

staff from inside an organization and also by an external service
provider. AhernaむVe/y, a company may insource and outsources tasks based
on the merits of each. An example of cosourcing is outsourcing part of
software development or software maintenance activities to an
external organization, while keeping part of the development in-house.
Managed Services "Managed services" is an umbrella term for third-party monitoring and
maintaining of computers, networks and software. The actual
equipment may be in-house or at the third party's facilities, but the word
"managed" implies a continuing effort； for example, making sure the
equipment is always running at a certain quality level or keeping the
software up-to-date.
Managed services is the practice of transferring day-to-day related

management responsibility as a deliberate and calculated method for
improved, effective and efficient operations. The person or
organization that owns or has direct ownership of the organization or
system being managed is referred to as the client or customer. The
person or organization that accepts and provides the managed service
is regarded as the service provider.

Typically, the client remains responsible for the functionality and
of the managed service and does not surrender the overall
responsibility of the organization or system.
Managed services allow companies to transfer specific IT service

provider, known in technology parlance as a Mai Provider. The
managed service provider assumes ongoing n monitoring,
managing and/or problem resolution for selected and functions
on the customer's behalf.
Managed Service
Providers A managed service provider (MSP) provides delivery and
network-based services, applications and equipment to client
and organizations. Managed service providers can be hostir^
or access providers that offer services that can include fully
network management arrangements, including advanced fe
telephony, messaging and call center, virtual private netw
managed firewalls, and monitoring/reporting of network these
services can be performed from outside a company's int MSPs
serve as outsourcing agents for companies, especially providers
like ISPs, that don't have the resources to constantly maintain
faster and faster computer networks.
Managed service providers can offer services such as alerts, s

management, data backup and recovery for different client
devkes： notebooks, servers, storage systems, networks and
applica^" Offloading routine infrastructure management to
experiencec service professionals lets clients concentrate on
running core b :: fewer interruptions due to IT issues.
Managed service providers (MSPs) typically price their serv；

subscription basis. Depending on the services they provide,
pricing based on the number of devices, with different packages
priced at levels. Some provide customer support onsite when
required. Cust engage managed service providers based on their
budgets and c
Basic services often start with a monitoring service, which notifies v

that customers resolve on their own. At the upper end of the

service providers offer fully managed services that cover everything from
alerts to problem resolution.
Typically, service providers perform an initial assessment of the client's

current IT environment and management requirements to help them
decide what services and service levels are needed.
Managed service providers deliver and manage network-based services,

applications and equipment to customer organizations. They deliver their
services as a one-to-many or one-to-one service； the former service
being used by multiple customers, and the latter having a dedicated
service between provider and customer. Payment for both of these
services is generally on a usage basis； for example, the number of
computers supported, the number of transactions processed, etc. It is
obvious that one-to-one services have a much higher price tag than
one-to-many services. It is important to note that the key difference
between IT managed services and strategic outsourcing is that the latter
often involves the transfer of assets - both technology and staff-related-
to the third party.
The managed services model enables effective MSPs to maximize the

efficiency and quality of their offerings, due to their narrow emphasis on
an area that can be enhanced iteratively. Due to the economies of scale
that can be derived from operating on a larger scale, managed services
are almost always available at a lower cost than the customer
organization could ever achieve itself, thereby increasing value for the
customer organization.
Governance of Undertaking the option of managed services can constitute risks to an

Managed Services organization. This is because it can create a dependency on skills from
outside the organization and thus the extent of this risk should be
quantified. Organizations too dependent on managed services may tend
to curb experimentation and innovation. Moreover, if core, value-adding
business processes and applications are outsourced to a MSP, the
consequential loss of control over available resource levels (if they are
not guaranteed) could result in a loss of organizational flexibility.
Contracts and agreements for managed services are usually shorter than
those for strategic outsourcing. The latter can often be created to run for
between three and ten years, whereas managed services contracts run
for as little as 12 months, and for up to two odd years. One reason for
this is the one-to-many delivery model enables the service provider to
achieve a shorter payback period for the service offered. Pace of IT
enhancement is much faster with MSPs for many reasons, including
competition amongst the MSPs. From the point of view of the clients,
shorter duration of contracts is suitable due to changing business
conditions. Even with a one-to-one delivery model, it is still a shorter
payback period for MSP as the one-to- one model takes the basic
service and modifies it for a particular customer. A service is usually not
always created from scratch for a new customer.
It fs not at all sufficient to find a MSP to deliver a particular discrete

service (or set of services) and believe that the responsibility for that
service has been handed over to the third party - the management of a
managed services agreement should not be left to chance. Organizations
need to understand that they need to commit time, effort, and money to
managing

these contracts and this is usually undertaken by having an in-
management team.
An in-house management team will monitor and control all aspects of

managed services. The role of the management team encomp^:
involvement in vendor selection and renegotiation (when the end of
contract is nearing, or there is a business need to renegotiate during
contract term). Furthermore, the in-house management team will be
responsible for vendor management, monitoring the delivery of the
managing any changes to requirements, collecting metrics as r
adherence to the SLA (service level agreement), and providing an
strategy in case of need.
The control matter is very important when looking at the business

surrounding managed services. Unlike some of the more tra ■ 一
outsourcing arrangements, particularly where staff and assets are tr
to the third-party provider, a significantly higher degree of control is
r by the customer organization when using managed services. This is
it is a smaller service, representing perhaps just one or a small nu IT
services delivered.
Not to forget that one of the roles of the MSP is to ensure that the
organization is making best use of the service, so it will be appropriate
client management takes into consideration points raised by the
Managed IT Services - From crashed hard drives to computers that just won't start, the part
Examples of managed IT services is basic maintenance of computers and
equipment. In an organization of any size, small or large, computers
relied on to perform almost all duties - from typing to design, ma,J and
many other functions. Programs are used for all sorts of industries, as we
get more technologically advanced, our systems get more co and prone
to problems and failures. Rather than risking making the worse by trying
to fix problems, call in the experts with IT services ensure that computer
equipment stays up and running at all tic addition to maintenance, other
managed services include the f:
■ Viruses and Spyware Problems

It takes just one email that is infected with spyware, worms, Trc^ other
viruses to infect an entire network - bringing the entire bu ' a halt as
computers freeze, shut down or simply stop working. From protection to
trouble shooting and virus fixing, IT services will ensure computers are
both protected against future viruses and healed from viruses that may
affect the running of the IT system. These managed providers should
ensure that their virus protection systems are always up
■ Network Management
The network controls all computers within an organization. If the
goes down, very often that means that every computer within the
also goes down, leaving the entire office unable to continue Network
management services guarantee quick response times, network
health and outstanding technical support, allowing the ゴ to not
lose any valuable time in the event of a network problem. A r：
managed IT services firm will offer network management for a fixed
fee, regardless of the number of hours used.
r iendor Services 210

■ Internet Connectivity
A managed service provider should be able to set up and manage
Internet connectivity, from leading ISP (internet service providers) -
assisting when internet connection drops, and helping to maintain daily
usage of bandwidth and data packages. A good managed IT services
company will be able to advise the best option to suit organizational
needs in terms of bandwidth speed and download requirements.
■ Remote Backups
Managed IT services ensure that valuable data is kept safe and secure at
all times. Unfortunately many businesses still do not realize the
importance of having effective data or server backup. A remote backup
and data recovery service ensures that the critical data is properly
backed up to an offsite location. This means that businesses never have
to worry about losing precious data in the event of a system or server
crash. Service providers should also have the necessary technology for
full data recovery in case of data loss.
_ Hardware and Software Procurement

Many companies provide all the top brands at competitive prices,
allowing clients to get all the benefits of wholesale prices directly from
leading companies who deal direct with MSP companies rather than with
end consumers. A switch to a managed IT services company can bring
good deals and excellent prices to ensure better value for money.
Service Level A Service Level Agreement (SLA) is a negotiated agreement between two
Agreements parties where one is the customer and the other is the service provider.
SLAs have been used since the late 1980s by fixed line telecom
operators as part of their contracts with their corporate customers. This
practice has spread such that now it is common for a customer to
engage a service provider by including a service level agreement in a
wide range of service contracts in practically all industries and markets.
Internal departments (such as IT, HR, etc.) in larger organizations have
adopted the idea of using service level agreements with their "internal"
customers also - users in other departments within the same
organization.
The SLA registers a common understanding about services, priorities,

responsibilities, guarantees, and warranties. Each area of service scope
has the "level of service" defined. The SLA may specify the levels of availability,
serviceability, performance, operation, or other attributes of the service.
The "level of service" can also be specified as "target" and "minimum",
which allows customers to be informed what to expect (the minimum),
whilst providing a measurable (average) target value that shows the level
of organization performance. In some contracts, penalties may be agreed
upon in the case of non-compliance of the SLA terms.
Service level agreements are, by their nature, "output" based - the result
of the service as received by the customer is the subject of the
"agreement", that is, the "agreement" relates to the services the
customer receives, and not how the service provider delivers that service.
However, organizations can also specify the way the service is to be
delivered, through a specification (a service level specification) and using
subordinate "objectives" other than those related to the level of service.
This type of agreement is known as an "input" SLA. This is becoming
obsolete as organizations become more

Key
Steps
demanding and shift the delivery methodology risk on to the provider. in
Establishing a Service Level Agreement
A service level
agreement may be an
excellent tool for helping
improve
communications, manage
expectations, clarify
respond build the
foundation for a win-win
relationship. However,
esta agreement is neither a
quick nor a simple process.
Experier:
professionals may represent
both parties when it comes
to v.r agreeing on SLAs.
Special and particular
attention must be pa<!
following key steps：
1. Gather background information

Both the customer and the service provider need to start by
information so that each has a solid basis from which to negotiate
drawing commitments from their service provider, customers shoe*::
review and clarify their own service needs and priorities. And before
any commitments to customers, service providers should exai service
history and determine the level of service they can c丨 provide. In
addition, service providers should assess customer so as to clearly
understand customer concerns and establish a assessi门 g_ service
improvements.
IT Vendor Services 212

Issues to be deliberated include the division of responsibility for
development tasks, and concerns regarding potential impediments. In
addition, the developers can benefit greatly by discussing their
communication styles and preferences, i.e. types and frequencies of
various reports, etc. By identifying similarities and differences right up
front, both parties will be in an excellent position to minimize conflict.
4. Develop the agreement
This is but one step in the process of establishing an SLA； it's not
the entire process. In this step, the two parties create a structure for
the SLA document and then discuss debate, negotiate and, over time,
reach agreement about the contents of the agreement item by item.
In doing so, they may each solicit assistance, input or feedback from
others in their respective organizations. The duration of this step
typically varies from several weeks to several months, depending on
the developers' previous experience with SLAs, their familiarity with
the key elements of an SLA, the demands of their other
responsibilities, and the state of the relationship between the two
organizations.
5. Generate buy-in
The result of Step 4 is a draft of an agreement, not a completed or
final agreement. Before implementing an SLA, all members of both
parties who have a stake in, or responsibility for, the success of the
agreement should have an opportunity to review the draft, raise
queries, and offer suggestions. Using this feedback, the developers can
conduct further negotiations, gain the necessary approvals, and finalize
the document. In addition to generating buy-in, this step also
improves the quality of the final document.
6. Complete pre-implementation tasks
This step entails the identification and completion of tasks that must
precede SLA implementation. Such tasks might include, for example,
developing tracking mechanisms, establishing reporting processes,
developing procedures for carrying out stated responsibilities,
communicating expectations to staff, providing pertinent training.
7. Implement and manage the agreement
An agreement that is not managed fails upon implementation.
Management responsibilities include providing a point of contact for
problems related to the agreement, maintaining ongoing contact with
the other party, conducting service reviews, coordinating and
implementing modifications to the SLA, and assessing and reporting
on how the two parties can further enhance their working
relationship.
Third-party A service bureau is a company which provides business services for a fee.
Service Bureau The term has been extensively used to describe
technology-based services to financial services companies, particularly
banks. Customers of service bureau typically do not have the scale or
expertise to incorporate these services in their internal operations and
prefer to outsource them to a service bureau. Outsourced payroll
services are a commonly provisioned service from a service bureau.
Service bureau may offer a variety of software packages, batch
processing services (data entry, COLD, etc.) as well as custom
programming.
The service bureau's value to its customers is a combination of

technology, process and business domain expertise. Their business

model is based on their ability to productize their services and deploy
them in volume to a
very large customer base. In the modern context, technology is a key enabler to
achieving this scale.
Most common contemporary technologies that support the service bureau

business model are SaaS (Software as a Service) and SOA (Service Oriented
Architecture). The evolution of these technologies has led to the revival of the
service bureau business model which is being increasingly known as Services 2.0.
Software as a Service (SaaS) has the potential to transform the way information
technology (IT) departments relate to and even imagine their role as providers of
computing services to the rest of the enterprise. The emergence of SaaS as an
effective software delivery mechanism creates an opportunity for IT departments to
change their focus from deploying and supporting applications to managing the
services that those applications provide. A successful service-centric IT, in turn,
directly produces more value 1 for the business by providing services that draw
from both intemai and external sources and align closely with business goals.
In contrast to the one-time licensing‘model commonly used for on-premisc|

software, SaaS application access is frequently sold using a subscripttn model, with
customers paying an ongoing fee to use the application, structures vary from
application to application； some providers charge flat rate for unlimited access to
some or all of the application's feai while others charge varying rates that are based
on usa In SaaS model the software/application reside on the service provi' servers
and the client can access it using the Internet or any other -丨 capacity network. In
this manner, SaaS offers substantial opportunities organizations of all sizes to shift
the risks of software acquisition, mainti and patching etc., and to move IT from a
reactive cost center to ' proactive, value-producing part of the enterprise.
Enterprises should quickly respond to business changes with agility；1 existing

investments in applications and application infrastructure to newer business
requirements； support new channels of interactions customers, partners, and
suppliers； and feature an architecture that si~ organic business. Unfortunately
the present infrastructure of organizations is not capable of doing all this.
The reality in IT enterprises is that infrastructure is heterogeneous operating

systems, applications, system software, and appl: infrastructure. This is because
infrastructure has been developed over in piecemeal fashion upon need. The
heterogeneous nature of IT infrastr makes it difficult to connect IT systems of
an organization or IT systet two separate organizations, thus making data
sharing difficult or impossible, and depriving the organization of potential
advan.
SOA is all about making disparate systems work together seamlessl>- with its
loosely coupled nature, allows enterprises to plug in new or upgrade existing
services in a gradual fashion to address the new requirements, provides the
option to make the services consumable different channels, and exposes the
existing enterprise and legacy app' as services, thereby safeguarding existing IT
infrastructure inves'
Summary Modern businesses need to develop specific capabilities to survive
andprosper.
Technology is the enabler of these capabilities. Technology-based
capabilities are costly to acquire and maintain, and one solution is
outsourcing. Outsourcing is contracting with another company or
person to do a particular function. Almost every organization
outsources in some way.
IT Vendor Services 214

Typically, the function being outsourced is considered non-core to the
business. There are many reasons that companies outsource various
jobs, but the most prominent advantage seems to be the fact that it
often saves money. Outsourcing also allows companies to focus on
other business issues while the outside experts are dealing with
specific functions. Other advantages include： control of budget,
higher quality service due to focus and expertise of the supplier,
improved risk management, etc.
Despite all its advantages, not all outsourcing alliances are successful.
The most common causes of outsourcing relationship failures include
poorly defined goals and requirements and a lack of outsourcing
contract management capability, the inability of parties to consider
each other's interests and lack of communication.
One outsourcing disadvantage is that it can eliminate direct

communication between a company and its clients. This prevents a
company from building solid relationships with their customers, and
often leads to dissatisfaction on one or both sides.
'Managed services' is an umbrella term for third-party monitoring and

maintaining of computers, networks and software. Managed service
providers enable companies to offload specific IT operations. Such
service providers can offer services such as alerts, security, patch
management, data backup and recovery. Managed service providers
usually price their services on a subscription basis.
Managed services can also constitute a risk to an organization

because they can create a dependency on skills from outside the
organization, and thus the extent of this risk should be quantified.
Contracts for managed services are typically shorter than those for
strategic outsourcing.
Service level agreements play a vital role in managing outsourcing

and managed services relationships. A service level agreement (SLA) is
a negotiated agreement between two parties where one is the
customer and the other is the service provider. The SLA records a
common understanding about services, priorities, responsibilities,
guarantees, and warranties.
A service bureau is a company which provides business services for a

fee. The term has been extensively used to describe technology-based
services to financial services companies, particularly banks. The most
common contemporary technologies that support the service bureau
business model are SaaS (Software as a Service) and SOA (Service
Oriented Architecture).

http://ezineartides.com/?
Why-Does-Outsourcing-Often-Fail-to-Deliver-Any-Benefit?&id=15492
http://www.outsourcing-center.com/
Reference
2004-08-what-causes-outsourcing-failures-article-37826.fc
Links
http://www.butlergroup.com/
research/reportHomePages/Managed%20Services/
MS_Management_Summary.pdf
http://EzineArtides.com/4472862
http://www.ctmea.com/2011 /04/06/huawei-banks-on-managed

Part 9: IT Security and Risk Mitigation
In this part Basic Principles
IT audit framework/standardization
International standards of IT security
Business Continuity Plan (BCP)
Professionalism and ethical standards

IT Security and Risk Mitigation
■ Define IT security methods
■ Differentiate between authorization and authentication
■ Define banking IT security standards and processes
■ Analyze the different ethical issues which may arise due to noncompliance and the
manner in which they can be addressed
■ Define the IT audit framework
_ Explain the rationale of conducting IT audit in a financial institution
■ Differentiate between a good and sub-optima! IT audit framework
■ State the importance and the purpose of SBP IT Audit
■ Recall the basic international standards of IT security
■ Describe risk management
■ Distinguish between a good security management structure with a sub-optimal
process
■ Explain the concept of a Business Continuity Plan
■ List the main features of a good BCP
■ Describe the impact of not having a BCP
■ Describe the impact of having a sub-optimal BCP
■ Describe the core concepts behind a professional and ethical IT framework
Basic Principles Information Technology plays an important and vital role in all sectois society. As a
consequence, security has become an essential com; of IT. However, it is a complex
subject and the appropriate measures often depend, to a large extent, on the type and
location of the IT equi： nature of business, budget constraints and the willingness to
counter
The potential security threats and risks have to be carefully assesses! every situation. It
is absolutely vital that all concerned are made a the threats and risks that may affect
them, and over which they •* control. Only then will they fully understand and apply
the apprザノ _ security procedures.
In order to fully appreciate security, it is necessary to understand what is. Risk in terms
of security may mathematically be characterized bf. equation； Risk = (Threat x
Vulnerability) / Counter-mea
The threat represents the type of action that is likely to be of harm, vulnerability
(sometimes called flaws or breaches) represents the exposure to threats in a
particular context. Finally, the countermc all of the actions implemented to prevent
the threat.
The likelihood that a threat will use a vulnerability to cause harm a risk. When a threat
does use a vulnerability to inflict harm, it _
218
impact. In the context of information security, the impact is a loss of availability,
integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of
real property).
The countermeasures to be implemented are not only technical solutions but also
include user training and awareness as well as dearly defined rules.
In order to secure a system, the potential threats must be identified so as to identify

and anticipate the enemy's course of action.
IT infrastructure / Information systems are generally defined as all of a company's data

and the hardware material and software resources that allow a company to store,
manipulate and circulate this data. Information systems are essential to companies
and must be protected. IT security generally consists in ensuring that an organization's
data, material and software resources are used only for their intended purposes.
IT security generally is comprised of six main goals：

■ Integrity: guaranteeing that the data are those that they are believed to be
■ Confidentiality: ensuring that only authorized individuals have access to the
resources
■ Availability: guaranteeing the information system's proper operation
■ Non-repudiation: guaranteeing that an operation cannot be denied
■ Authentication： ensuring that only authorized individuals have access to the
resources
_ Authorization： determining level of access to a particular authenticated user
The IT security guarantees the right to access a system's data and resources by setting
up authentication and control mechanisms that ensure that the users of these
resources only have the rights that were granted to them.
It is easy to confuse the mechanism of authentication with that of authorization. In

many host-based systems (and even some client/server \\MO a\e XYie same
hardware
aad, ia some cases, the s>aw\e. VI h dxs'wxocvow
between these two mechanisms, however, since they can and perhaps 功m/dl?eperformedse()af3(e
s</s(ems.
Authentication is th.e. Wewtvry

their users. Authentication systems provide answers to the questions：
■ Who is the user?

■ 's the user rea^y who he/she represents himself to be?
An authentication system may be as simple (and insecure) as a plain-text password

challenging system or more complicated and involving biometrics also. In all cases,
however, authentication systems depend on some unique bit of information known
(or available) only to the individual being authenticated and the authentication
system. Such information may be a classical password, some physical property of the
individual (fingerprint, retinal vascularization pattern, etc.), or some derived data (as in
the case of smartcard systems). In order to verify the identity of a user, the
authenticating system typically challenges the user to provide his u " information (his
password, fingerprint, etc.) - if the authenticating sr can verify that the required
information was presented correctly, the is considered authenticated and access in
granted.
Authorization, by contrast, is the mechanism by which a system det what level of

access a particular authenticated user should have to resources controlled by the
Security and Risk Mitigation

system. For example, a database mana system might be designed so as to provide
certain specified indiv: with the ability to retrieve information from a database but
not the to change data stored in the database, while giving other individuae ability
to change data.
Authorization systems provide answers to the questions：

_ Is user X authorized to access resource R?
_ Is user X authorized to perform operation P?
Authentication and authorization are somewhat tightly-coupled -authorization systems

depend on secure authentication systems to that users are who they claim to be and
thus prevent unauthorized from gaining access to secured resources.
The need for IT security in banks and financial institutions ni^ justification. Financial
institutions must ensure security of its IT infml and data. Financial institutions spend
handsome amounts on security" The State Bank of Pakistan (SBP) has also asked
banks to adopt ' " security standards to ensure safety, security and maintenance of
transactions. Banks must design fool-proof data security processes has issued various
guidelines on critical subjects pertaining to continuity and data security and safety..
Some IT security and related standards that are available for institutions include：
ISO/TR 17944:2002 Banking - Security and other financial Framework for security in
financial systems. It provides a fra standards dealing with security that are deemed
necessary for the industry. It consists of an inventory of the key security issues in the
financial industry.
ISO 9564-1:2011 Financial services - Personal Identification Nu management and

security - Part 1：Basic principles and requir PINs in card-based systems.
ISO/TR 14742:2010 Financial services - Recommendations on algorithms and

their use.
Cryptography
Information security uses cryptography to transform usable info a form that
renders it unusable by anyone other than an auth this process is called
encryption. Information that has been (rendered unusable) can be transformed
back into its original by an authorized user, who possesses the cryptographic
key,
process of decryption. Cryptography is used in information security to protect
information from unauthorized or accidental disclosure while the information is in transit
and while information is in storage.
Cryptography provides information security with other useful applications as well

including improved authentication methods, digital signatures, nonrepudiation, and
encrypted network communications.
Cryptography can however, introduce security problems when it is not implemented

correctly. Cryptographic solutions need to be implemented using industry accepted
solutions that have undergone rigorous peer review by independent experts in
cryptography. The length and strength of the encryption key is also an important
consideration. A key that is weak or too short will produce weak encryption. The keys
used for encryption and decryption must be protected with the same degree of rigor as
any other confidential information. They must be protected from unauthorized disclosure
and destruction.
Firewal 丨 ing
Firewall is a first line of defense and protective barrier between the company's internal
network and the outer world. It can be a software or hardware and it is configured and
IT Security and Risk Mitigation 220

attached with the gateway computer. It encrypts, filters, monitors, permits or denies all
the network traffic. A system without the implementation of the firewall can easily be
attacked by the viruses, hackers, intruders, unauthorized access and other internal and
external threats. It regulates the traffic between the computer network and the internet. It
protects the resources of the private network from the internal and external threats.
A firewall management program can be configured one of two basic ways：

■ A default-deny policy. The firewall administrator lists the allowed network services,
and everything else is denied.
■ A default-allow policy. The firewall administrator lists network services which are not
allowed, and everything else is accepted.
IT, Security and Ethical Issues

Ethics refers to the principles of right and wrong that individuals (also organizations),
acting as free moral agents, use to make choices to guide their behaviors. Information
systems raise new ethical questions for both individuals and societies because they create
opportunities for intense social change, and thus threaten existing distributions of power,
money, rights, and obligations. Like other technologies, such as steam engines, electricity,
the telephone, and the radio, information technology can be used to achieve social
progress, but it can also be used to commit crimes and threaten cherished social values.
Ethical issues in information systems have been given new urgency by the rise of the
Internet and electronic commerce. Internet and digital firm technologies make it easier
than ever to assemble, integrate, and distribute information, unleashing new concerns
about the appropriate use of customer information, the protection of personal privacy,
and the protection of intellectual property. Insiders with special knowledge can "fooi 〃
information systems by submitting phony records, and diverting cash, on a scale

unimaginable in the pre-computer era.
Other pressing ethical issues raised by information systems include establishing
accountability for the consequences of information systems, setting standards to
safeguard system quality that protects the safety of the individual and society, and
preserving values and institutions considered essential to the quality of life in an
information society.
Ethical issues long preceded information technology. Nevertheless, information

technology has heightened ethical concerns, taxed existing social arrangements, and
made some laws obsolete or severely crippled. Information technologies and systems
have also created new opportunities for criminal behavior and mischief. There are four
key technological trends responsible for these ethical stresses and they are summarized
in Table below：
TREND IMPACT
■ Information Technology in Financial Services | Ref

implement policies regarding Internet/intranet use, use of removable
media and intelligent assignment of rights and privileges.
In addition to lost business and damaged company reputation, an

important dimension of security breaches and noncompliance is the
damage to client's privacy. The bank or any other business in the
custodian of client's personal and business information and any leak
or compromise raises serious legal and ethical questions.
Some businesses unethically share, in fact sell, their clients' data to

other businesses e.g. marketing companies. Sometimes businesses
don't do this directly but due to poor security policies, the employees
indulge in these unethical acts for monetary gains. At the end of the
day, however, the business is responsible and has to face the music.
The obvious solution to most problems is to give IT security its due
importance. Companies must educate their employees on ethical
matters through shared-vision campaigns and in-house trainings etc.
IT Audit Framework Organizations today operate in a dynamic global mult卜 enterprise

environment /Standardization with team-oriented collaboration and
place very stringent requirements on the telecommunications
networks and IT infrastructure to remain operative. The design of such
systems is complex and management can be very difficult.
Organizations are critically dependent on the timely flow of accurate
information.
Consequently, the role of information technology (IT) control and

audit has become a critical mechanism for ensuring the integrity of
information systems (IS) and the reporting of organization finances to
avoid and hopefully prevent financial fiascos. Global economies are
more interdependent than ever and geopolitical risks impact
everyone. Electronic infrastructure and commerce are integrated in
business processes around the globe. The need to control and audit
IT has never been greater.
An information Technology audit (also called Information Systems

Audit, EDP audit, computer audit) is an examination of the checks and
balances, or controls, within an information technology (IT)
group/department/function. IT Audits are a critical component of the
regulatory compliance process. In general, the IT auditors will attempt
to determine whether the organization is in compliance with the IT
regulations and standards that it must address.
An IT audit collects and evaluates "evidence" of an organization's

information systems, practices, and operations. The evaluation of this
evidence determines if the information systems are safeguarding the
information assets, maintaining data integrity, and operating
effectively and efficiently to achieve the organization's business goals
or objectives.
During the audit (IT and others), the auditors primarily look for
evidence that indicate
■ The organization has designed effective controls to address their
compliance requirements and that there are no design
deficiencies.
* ■ The organization consistently applies the controls they have designed
Information Technology in Financial Services I Reference Bool

and that there are no operational deficiencies.
If the auditors do not find evidence of an effective control program,

or they
find that the organization is not adhering to the control program, they these deVioenoes
\n their V>na\ audit report. Th\s audit report is ger. provided to the organization's
audit committee so that identified issues the appropriate level of management exposure.
Obviously, it is pref that there be no deficiencies noted in this report.
The primary functions of an IT audit are to evaluate the systems that in place to guard
an organization's information. Specifically, infor technology audits are used to evaluate
the organization's ability to its information assets and to properly dispense information
to aut parties. The IT audit aims to evaluate the following：
■ Will the organization's computer systems be available for the b at all times when
required? (known as availability)
■ Will the information in the systems be disclosed only to au users? (known as
security and confidentiality)
■ Will the information provided by the system always be acc reliable, and timely?
(measures the integrity)
In this way, the audit hopes to assess the risk to the company's va asset (its information)
and establish methods of minimizing those
As computer technology has advanced, banks and financial institutions 卜 . become

increasingly dependent on computerized information system carry out their operations
and to process, maintain, and report esse* information. As a consequence, the reliability
of computerized data and the systems that process, maintain and report these data are
a concern to audit. IT Auditors evaluate the reliability of computer gerv data supporting
financial statements and analyze specific programs their outcomes. In addition, IT
Auditors examine the adequacy of co in information systems and related operations to
ensure system effect'
Use of computer facilities has brought about radically different ways processing,
recording and controlling information and has combined r : previously separated
functions. The potential for material systems error ** thereby been greatly increased
causing great costs to the organiza" e.g., the highly repetitive and real-time nature of
many computer applica " means that small errors may lead to large losses. An error in
the calcu「一 of Income Tax to be paid by employees in a manual system will not in
each case but once an error is introduced in a real-time computer system, it will affect
each case. A bank may suffer huge losses on acc* of an error of rounding off to next
rupee instead of nearest rupee, makes it imperative for the auditor to test the invisible
processes, and identify the vulnerabilities in a computer information system as the c
involved, because of errors and irregularities, can be extremely ■'
The following (non-universal) process describes the general activities auditors conduct
during an audit：
■ Step 1：Plan the audit (auditor)

■ Step 2： Hold audit kickoff meeting (auditor/organization)
■ Step 3： Gather data and test IT controls (auditor/organization)
■ Step 4： Remediate identified deficiencies (organization)
■ Step 5： Test remediated controls (auditor/organization)
■ Step 6： Analyze and report findings (auditor)
_ Step 7： Respond to findings (organization)
■ Step 8： Issue final report (auditor)

How to Optimize the Audit Process
There are many ways to make the audit process more efficient and less difficult. These
include：
■ Working with the auditor early in the process to understand the key areas on which they
plan to focus during the audit. In some cases, organizations can reprioritize projects to
ensure to address what the auditors see as key risks in the environment, thus avoiding
deficiencies in the audit.
■ Implement automated IT controls whenever possible. These controls are superior to

manual ones because auditors can more easily test and validate them. The best way to
optimize the efficiency and lower the cost of the IT audit process for the organization is
to：
■ Maintain clean and concise documentation of IT controls and keep it updated.
■ Organize IT controls to work with the framework that the auditors use. This will help
ensure that the organization being audited and auditors communicate clearly about the
regulatory objectives.
■ Take advantage of an IT controls framework. This will help to more effectively address a
variety of regulations with a single set of controls.
Audits must be methodically performed by examining and reviewing the requirements and
the actions being performed against them. Audits are essential not only for the individual or
company, they are essential to protect those who have a vested interest in the operations.
Good Audit Practices

The first principle is an important one, honesty. Honesty is critically important in the audit
process. Honesty must exist in the audit process from beginning to end or the results and
the documentation to support them will be questioned. Without honesty in the audit
process bad decisions can be made which can have far reaching effect.
Accuracy is another important quality of a good audit. All records and information must be
accurate. Records may be accurate for their content but if they do not contain all applicable
information then they are incomplete and unreliable.
In relation to the characteristic of accuracy data that is accurate can be considered reliable.
Reliability is a factor upon which companies must base decisions. Reliable sources of
information or documentation means the data or source can be trusted.
Completeness in the audit process is a desirable characteristic which means that

documentation of the facts is complete. Many times there is so much
Information Technology in Financial Services I Reference Bool

information on an issue or area that it may be difficult to determine when enough
information is enough.
Another good audit principle involves the qualifications of individuals conducting an audit.
Need for Frameworks

In recent years, it has become increasingly evident that there is a need for a reference
framework for security and control in IT. Successful organizations require an appreciation
for and a basic understanding of the risks and constraints of IT at all levels within the
enterprise in order to achieve effective direction and adequate controls.
Management has to decide what to reasonably invest for security and control in IT and
how to balance risk and control investment in an often unpredictable IT environment. While
information systems security and control help manage risks, they do not eliminate them. In
addition, the exact level of risk can never be known since there is always some degree of
uncertainty. Ultimately, management must decide on the level of risk it is willing to accept.
Judging what level can be tolerated, particularly when weighted against the cost, can be a
difficult management decision. Therefore, management clearly needs a framework of
generally accepted IT securit| and control practices to benchmark the existing and planned
IT environmenc The Committee of Sponsoring Organization's (COSO) Integrated Framewort
has been often the framework that dictated all internal control assessment and testing.
However, with the introduction of the Information System; Audit and Control Association's
(ISACA) Control Objectives for Information Technology (COBIT), the adaptation by auditors
both internal and external has been gaining ground.
COBIT (Control Objectives for Information Technology)

COBIT is an IT governance framework and supporting toolset that al managers to
bridge the gap between control requirements, technical i and business risks. COBIT
enables clear policy development and good pi for IT control throughout organizations.
COBIT emphasizes regular compliance, helps organizations to increase the value
attained from enables alignment and simplifies implementation of the COBIT frame
Business orientation is the main theme of COBIT. It is designed to employed not only by
users and auditors, but also, and more impo as comprehensive guidance for
management and business process o Increasingly, business practice involves the full
empowerment of be:: process owners so they have total responsibility for all aspects of
business
The Framework consists of a set of 34 high-level Control Objectives, for each of the IT
processes, grouped into four domains： planning organization, acquisition and
implementation, delivery and suppor monitoring. This structure covers all aspects of
information and the tedsr that supports it. By addressing these 34 high-level control
objectives, business process owner can ensure that an adequate control s provided for
the IT environment.
IT governance guidance is also provided in the COBIT Framework. IT
governance provides the structure that links IT processes, IT resources
and information to enterprise strategies and objectives. IT governance
integrates optimal ways of planning and organizing, acquiring and
implementing, delivering and supporting, and monitoring IT
performance. IT governance enables the enterprise to take full
advantage of its information, thereby maximizing benefits, capitalizing
on opportunities and gaining competitive advantage.
Information Technology Infrastructure Library (ITIL)

ITIL is the most widely adopted approach for IT Service Management

in the world, it provides a practical, no-nonsense framework for
identifying, planning, delivering and supporting IT services to the
business. ITIL advocates that IT services must be aligned to the needs
of the business and strengthen the core business processes. It
provides guidance to organisations on how to use IT as a tool to
facilitate business change, transformation and growth.
ITIL provides a framework for the governance of IT and focuses on

the continual measurement and improvement of the quality of IT
service delivered, from both a business and a customer perspective.
This focus is a major factor in ITIL's worldwide success and has
contributed to its prolific usage and to the key benefits obtained by
those organizations deploying the techniques and processes
throughout their organizations. Some of these benefits include：
■ increased user and customer satisfaction with IT services

■ improved service availability, directly leading to increased
business profits and revenue
■ hnancial savings from reduced rework, lost time, improved
resource management and usage
■ improved time to market for new products and services _
improved decision making and optimized risk.
ITIL was published between 1989 and 1995. Its early use was
principally confined to the UK and Netherlands. A second version of
ITIL was published as a set of revised books (hence library) between
2000 and 2004.
The initial version of ITIL consisted of a library of 31 associated books

covering all aspects of IT service provision. This initial version was
then revised and replaced by seven, more closely connected and
consistent books (ITIL V2) consolidated within an overall framework.
This second version became universally accepted and is now used in
many countries by thousands of organizations as the basis for
effective IT service provision. In 2007, ITIL V2 was superseded by an
enhanced and consolidated third version of ITIL, consisting of five
core books covering the service lifecycle, together with the Official
Introduction.
3 What is ITIL?
Business Continuity Business Continuity refers to the activities required to keep an

organization Planning (BCP) running during a period of displacement or interruption of
normal operation. Whereas a related term, Disaster Recovery is the process of rebuilding
company's operation or infrastructure after the disaster has passed.
According to Business Continuity Institute "Business continuity plan is

a
IT Security and Risk Mitigation

collection of procedures and information which is developed, compiled and maintained in
readiness for use in the event of an emergency or disaster."
Disaster might occur anytime, so all and especially IT-dependent businesses must be
prepared. Depending on the size and nature of the business, a plan is designed to
minimize the disruption of disaster and help keep the business to remain competitive.
Due to the advancement of Information Technology (IT), business nowaday depends heavily
on IT. With the emergence of e-business, many business^ can't even survive without
operating 24 hours per day and 7 days a week. A single downtime might mean disaster to
their busines Therefore the traditional Disaster Recovery Plan (DRP), which focuses restoring
the centralized data center, might not be sufficient. A comprehensive and rigorous Business.
Continuity Plan (BCP) is needed to achieve a state of business conti \wheve cvitical systems
and networks are continuously availab
Business Continuity Plan is needed when there is a disruption to the whether from a n
equipment failure or a natural disaster. The Be:' Continuity Plan should cover the
occurrence of following ev
a) Equipment failure (such as disk crash).

b) Q\s\upV\on o\ po\Ne\ suppVv ov \.e\ecoram\iv\\caV\on.
c) Application failure or corruption of database.
d) Human error, sabotage or strike.
e) Malicious Software (Viruses, Worms, Trojan horses) attack.
f) Hacking or other Internet attacks.
g) Social unrest or terrorist attacks.
h) Fire
i) Natural disasters (Flood, Earthquake, Hurricanes)
With the shift of IT structure from centralized processing to disT computing and client/
server technology to world-wide, thanks to WANs and the Inte;■一 company's data are
now located across the enterprise and arot world. Therefore it is no longer sufficient to
rely on IT departmen: in Business Continuity Planning, all executives, managers and 0
must participate.
Business continuity actually involves two distinct areas：
Business continuity planning - where a plan is developed that» implemented, will help
to prevent operational interruptions, cr disasters happening and will help the
organization quickly return :a of 'business as usual' should any of these events occur.
Once it
preparedthebusinesscontinuity p)anmust betestedandext
ensure that it will perform as anticipated.
Business continuity management - this is：

-The ongoing management of the business continuity plan to it is always current and
available and -The ongoing management of operational resilience and process within an
organization, with the aim of ensuring that
Business continuity achieves various things for organizations, with the degree of success in
each area dependent on the amount of effort, skill, resource and commitment provided by
the organization for business continuity activities. There will be a number of outcomes in
every business continuity program which are specific to the organization in question, but the
following are outcomes which should be achieved by every organization which takes
business continuity seriously：
A deeper and dearer understanding of the organization

The processes involved in developing the initial business continuity plan and then in
maintaining and managing the BCP result in a clear overview of the overall organization ； its
structures, dependencies, suppliers and Technology
Information stakeholders. ThisServices
in Financial information is not only essential
for business continuity management it can also help planning and strategy in other non-
related areas of organizational development and management.
Proactive measures
Proactive measures are designed for the prevention of interruptions to organizational activities.
The essence of good business continuity management is the identification and
implementation of measures which can be put in place to proactively prevent operational
interruptions taking place, and to prevent crises and disasters occurring. Business continuity
management, at its highest level, is about keeping organizations operating at their maximum
capability.
Reactive measures
Reactive measures are designed for recovery from interruptions to organizational activities.
Business continuity management programs includes plans for the reactive measures that will
be taken should the proactive measures that are in place fail, become overwhelmed, or are
bypassed by some unforeseen and unexpected crisis. Reactive measures enable the
organization to return to an acceptable level of operations within a desired timescale
following an interruption, disaster or crisis.
Culture change
Business continuity management programs involve an exploration of organizational culture.
Effective programs will utilize change management techniques to ensure that the
organization encourages a culture where all employees are sufficiently aware of everyday
risks and their individual responsibility to report, manage and mitigate risks.
Creating a Business Continuity Plan

A BCP typically includes five sections：
1. BCP Governance
2. Business Impact Analysis (BIA)
3. Plans, measures, and arrangements for business continuity
4. Readiness procedures
5. Quality assurance techniques (exercises, maintenance and auditing)
1. B C P Governance - Establish Control
A BCP contains a governance structure often in the form of a committee that will ensure
senior management commitments and define senior management roles and responsibilities.
The BCP senior management committee is responsible for the oversight, initiation, planning,
approval, testing and audit of the BCP. It also implements the BCP, coordinates activities,
approves the BIA survey, oversees the creation of continuity plans and reviews the results
of quality assurance activities.
Senior managers or a BCP Committee would normally：

■ approve the governance structure；
■ clarify their roles, and those of participants in the program；
■ provide strategic direction and communicate essential messages
■ approve the results of the BIA；
■ approve the continuity plans and arrangement；
• monitor quality assurance activities； and
■ resolve conflicting interests and priorities.
This BCP committee is normally comprised of the following members：

■ Executive sponsor has overall responsibility for the BCP comrf— obtains senior
management's support and direction； and ensures adequate funding is available
for the BCP program.
■ BCP Coordinator estimates funding requirements； develops BCP coordinates and

oversees the BIA process； ensures effective partL； input； coordinates and

oversees the development of plans arrangements for business continuity and
provides for regular r testing and audit of the BCP.
■ Security Officer works with the coordinator to ensure that all a the BCP meet the
security requirements of the organiz
_ Chief Information Officer (CIO) cooperates closely with the BCP coor
and IT specialists to plan for effective and harmonized con"
■ Business unit representatives provide input, and assist in performinf

analyzing the results of the business impact analysis.
The BCP committee is commonly co-chaired by the executive sponsar the coordinator.
2. Business Impact Analysis (BIA)
The purpose of the BIA is to identify the organization's mandate and services or
products； rank the order of priority of services or pr continuous delivery or rapid
recovery； and identify internal and impacts of disruptions.
Identify the mandate and critical aspects of an orga "

This step determines what goods or services must be delivered, in
can be obtained from the mission statement of the organization, and legal requirements for
delivering specific services and products.
Prioritize critical services or products

Once the critical services or products are identified, they must be prioritized based on
minimum acceptable delivery levels and the maximum period of time the service can be
down before severe damage to the organization results. To determine the ranking of critical
services, information is required to determine impact of a disruption to service delivery, loss
of revenue, additional expenses and intangible losses.
Identify impacts of disruptions

The impact of a disruption to a critical service or business product determines how long the
organization could function without the service or product, and how long clients would
accept its unavailability. It will be necessary to determine the time period that a service or
product could be unavailable before severe impact is felt.
Identify areas of potential revenue loss

To determine the loss of revenue, it is necessary to determine which processes and functions
that support service or product delivery are involved with the creation of revenue. If these
processes and functions are not performed, is revenue lost? How much? If services or goods
cannot be provided, would the organization lose revenue? If so, how much revenue, and for
what length of time? If clients cannot access certain services or products would they then to
go to another provider, resulting in further loss of revenue? .
Identify additional expenses

If a business function or process is inoperable, how long would it take before additional
expenses would start to add up? How long could the function be unavailable before extra
personnel would have to be hired? Would fines or penalties from breaches of legal
responsibilities, agreements, or governmental regulations be an issue, and if so, what are the
penalties?
Identify intangible losses

Estimates are required to determine the approximate cost of the loss of consumer and
investor confidence, damage to reputation, loss of competitiveness, reduced market share,
and violation of laws and regulations. Loss of image or reputation is especially important for
public institutions as they are often perceived as having higher standards.
Ranking
Once all relevant information has been collected and assembled, rankings for the critical
business services or products can be produced. Ranking is based on
the potential loss of
revenue, time of recovery and severity of impact a disruption would cause. Minimum service
levels and maximum allowable downtimes are then determined.
Identify dependencies
It is important to identify the intemai and external dependencies of critical services or
products, since service delivery relies on those dependencies.
Intemai dependencies include employee availability, corporate assets such

as equipment, facilities, computer applications, data, tools, vehicles, ard support services
such as finance, human resources, security and jnformatea technology support.
External dependencies include suppliers, any external corporate assets sua as equipment,
facilities, computer applications, data, tools, vehicles, and any external support services
such as facility management, utilities, communications, transportation, finance institutions,
insurance providefs. government services, legal services, and health and safety service..
3. Plans for Business Continuity

This step consists of the preparation of detailed response/recovery plans and
arrangements to ensure continuity. These plans and arrangemerts detail the ways and
means to ensure critical services and products delivered at a minimum service levels
within tolerable down times. Continuif plans should be made for each critical service or
product.
Mitigating threats and risks

Threats and risks are identified in the BIA or in a full-threat-and-rafc assessment.
Moderating risk is an ongoing process, and should be perfor~ei even when the BCP is
not activated. For example, if an organization requra electricity for production, the risk of
a short term power outage can ac mitigated by installing stand-by generators.
Another example would be an organization that relies on internal 3inJ external

telecommunications to function effectively. Communications fai^ra can be minimized by
using alternate communications networks, or instafcif redundant systems.
Redundancy is a prerequisite to achieving high availability and busi continuity. N+1

redundancy is a form of resilience that ensures systemi availability in the event of
component failure. Components (N) ha\£ least one independent backup component
(+1). The level of resilience * referred to as active/passive or standby as backup
components dc actively participate within the system during normal operation. It is
possible to have N+1 redundancy with active-active components. An active approach is
considered superior in terms of performance and resilt An example of N+1 redundancy
can be found in data centre power gen -if six generators are required to be working at
any time wkh avai as standby. The standby is activated when any one of the six becomes
unavailable.
N+N redundancy is also an option. N+N redundancy is preferred by some companies if

their data and operations are extremely critical. N+N means that for N actual
components there are as many i.e. N redundant componerfc. The availability increases
and so does the cost.
The degree of redundancy determines the systems availability. So anotiiar way to look at
this concept is in terms of availability. In IT, 99.999 (oftai called "five 9s") refers to a
desired percentage of availability of a gj.vai| system or a system's component； a server
or a router.
Availability can be high or low as required based on criticality of data sensitivity of
operations. 99.9999% (six-nines) availability does only
for 32 seconds or less of downtime per year 99.999% (five-nines) availability allows for 5
minutes and 15 seconds or less of downtime per year 99.99% (four-nines) availability allows
for 52 minutes, 36 seconds or less of downtime per year 99.9% (three-nines) availability
allows for 8 hours, 46 minutes or less of downtime per year 99% (two-nines) availability
allows for 3 days 15 hours and 40 minutes per year. Companies may select a suitable level of
redundancy based on the nature of their work and budget.
Analyze current recovery capabilities

Consider recovery arrangements the organization already has in place, and their continued
applicability. Include them in the BCP if they are relevant.
Create continuity plans
Plans for the continuity of services and products are based on the results of the BIA. Ensure
that plans are made for increasing levels of severity of impact from a disruption. For example,
if limited flooding occurs beside an organization's building, sand bagging may be used in
response. If water rises to the first floor, work could be moved to another company building
or higher in the same building. If the flooding is severe, the relocation of critical parts of the
business to another area until flooding subsides may be the best option.
Another example would be a company that uses paper forms to keep track of inventory until
computers or servers are repaired, or electrical service is restored. For other institutions, such
as large financial firms, any computer disruptions may be unacceptable, and an alternate site
and data replication technology must be used.
The risks and benefits of each possible option for the plan should be considered, keeping
cost, flexibility and probable disruption scenarios in mind. For each critical service or product,
choose the most realistic and effective options when creating the overall plan.
Response preparation
Proper response to a crisis for the organization requires teams to lead and support recovery
and response operations. Team members should be selected from trained and experienced
personnel who are knowledgeable about their responsibilities.
The number and scope of teams will vary depending on organization's size, function and
structure, and can include：
■ Command and Control Teams that include a Crisis Management Team, and a Response,
Continuation or Recovery Management Team.
■ Task Oriented Teams that include an Alternate Site Coordination Team, Contracting and
Procurement Team, Damage Assessment and Salvage Team, Finance and Accounting
Team, Hazardous Materials Team, Insurance Team, Legal Issues Team,
Telecommunications/ Alternate Communications Team, Mechanical Equipment Team,
Mainframe/
' Midrange Team, Notification Team, Personal Computer/ Local area Network Team, Public
and Media Relations Team, Transport Coordination Team and Vital Records Management
Team
The duties and responsibilities for each team must be defined, and include identifying the
team members and authority structure, identifying the specific team tasks, member's roles
and responsibilities, creation of contact lists and identifying possible alternate members.
For the teams to function in spite of personnel loss or availability, it may be necessary to
multitask teams and provide cross-team training.
Alternate facilities
If an organization's main facility or Information Technology assets, ne and applications
are lost, an alternate facility should be available, are three types of alternate facility：
1. Cold site is an alternate facility that is not furnished and equipped operation.
Proper equipment and furnishings must be installed be: operations can begin, and a
substantial time and effort is require: make a cold site fully operational. Cold sites
are the least ex option and may take a week or more to become operational
computing and data processing point of view.
2. Warm site is an alternate facility that is electronically prepared almost completely

equipped and furnished for operation. It can fully operational within several hours.
Warm sites are more ex than cold sites. The data in the warm sites is not mirrored
online in real-time but is done periodically, like every 5 hours or once a a 6 pm. The
processing capabilities are also limited and reserved the most mission-critical
functions that support the core opera

3. Hot site is a duplicate of the original site of the organization, with computer systems
as well as near-complete backups of user data. time synchronization between the
actual and hot sites may be to completely mirror the data environment of the
original site wide area network links and specialized software. Following a di to the
original site, the hot site exists so that the organization relocate with minimal losses
to normal operations. Ideally, a hot will be up and running within a matter of hours
or even less. Persニ may still have to be moved to the hot site so it is possible that
hot site may be operational from a data processing perspective t: staff has relocated.
The capacity of the hot site generally matches capacity of the original site. This type
of backup site is the l： expensive to operate. Hot sites are popular with
organizations operate real time processes such as financial institutions, gove
agencies and ecommerce providers.
When considering the type of alternate facility, consider all factors, i threats and risks,
maximum allowable downtime and cost.
In this context the business managers and IT managers must calculate acceptable
Response Time Objective (RTO). The RTO is a goal or an time in which it is necessary to
make a specific function or service available following an interruption, in essence, the
RTO represents maximum amount of time before an organization is negatively imp - by
the interruption of one of its core business processes or functions, this reason, the task of
establishing the recovery time objective mus: at the business level and not the systems
(technology) I
Recovery time objective (RTO) is therefore, the key metric to determine the disaster recovery
(DR) level required to recover business processes and applications. RTO is reciprocally
proportional to the cost of disaster recovery： The closer RTO is to zero, the more expensive
BCP/DR provisioning will be.
For security reasons, some organizations employ hardened alternate sites. Hardened sites
contain security features that minimize disruptions. Hardened sites may have alternate power
supplies； back-up generation capability； high levels of physical security; and protection
from electronic surveillance or intrusion.
4. Readiness Procedures Training

Business continuity plans can be smoothly and effectively implemented by：
■ Having all employees and staff briefed on the contents of the BCP and aware of their
individual responsibilities
■ Having employees with direct responsibilities trained for tasks they will be required to
perform, and be aware of other teams' functions
Exercises
After training, exercises should be developed and scheduled in order to achieve and
maintain high levels of competence and readiness. While exercises are time and resource
consuming, they are the best method for validating a plan.
Exercise complexity level can also be enhanced by focusing the exercise on one part of the
BCP instead of involving the entire organization.
Quality Assurance Techniques

Review of the BCP should assess the plan's accuracy, relevance and effectiveness. It should
also uncover which aspects of a BCP need improvement. Continuous appraisal of the BCP is
essential to maintaining its effectiveness. The appraisal can be performed by an internal
review, or by an external audit.
Internal review
It is recommended that organizations review their BCP：
■ On a scheduled basis (annually or bi-annually)
■ When changes to the threat environment occur；
■ When substantive changes to the organization take place； and
■ After an exercise to incorporate findings.
External audit
When auditing the BCP, consultants nominally verify：
■ Procedures used to determine critical services and processes
■ Methodology, accuracy, and comprehensiveness of continuity plans
Why BCP Plans Fail

Business continuity plans fail most often because of a lack of initial effort and subsequent
commitment； this is largely due to the fact that developing and implementing BCPs can be
an arduous and politically sensitive project.

The BCP planning team must have a penchant for detail and the fortitude to follow through
with the requisite testing and documentation of alternative recovery scenarios. It must move
across organizational boundaries, eliciting cooperation from the various groups that will
eventually rely on each other in disaster situations. It must regularly update and test the BCP.
And throughout this process the team depends on the ongoing commitment o? company
resources.
调ふmへ似•的'
down, a business cont'muitv P、an \s exposed to potential ia'iluve. Points
BCP failure include：
1. A one-size-fits-all solution. The traditional one-size-fits-all solr- typically relies on small

recovery teams- often 20 percent of S a short period of time or requires clustering
leadership in single to achieve economies of scale. This cannot be counted
2. Deficiencies in the tests. Organizations that spend the time, effort expense to
construct BCPs but do not test them are not map^ their investments wisely. Most
likely, these firms will not be abiie^ successfully enact their BCPs when a crisis begins.
Merely docu a plan does not guarantee success. To ensure usability, a BCP diligently,
comprehensively and consistently tested. Live testinf trains the staff. When a crisis
ensues, staff members who have through the tests are prepared to act with
confidence.
3. Inadequate maintenance. To prepare for a roadside emergency more than

carrying a spare tire； it means checking the tire r to make sure it is inflated. The
same holds true for BCPs. adequate and aggressive maintenance, BCPs become
obsolete sometimes within months. In organizations that use cutti^1
technologies or have high employee turnover, the recovery after a major
disaster could stumble if plans are not updated cor And even stagnant
businesses constantly undergo process changes, involving new products and
reengineering.
These changes must be addressed within the BCP process, alternative business
operation and backup sites should be evaluated to assess functionality and
compatibility with the BCP plan.
4. Lack of senior management involvement. A BCP project will off the ground
without backing from the company leaders, from the top can eliminate
resistance to the tedious tasks of testing and maintaining BCPs. Senior
management must enterprise wide compliance. BCP coordinators need to know
empowered to work with line managers to protect the
5. No enterprise wide accountability and coordination. A lack of accountability creates

varying levels of preparedness amoog putting the entire organization at risk.
Organizations must a visible and prominent unit to coordinate the enterprise
Whether in the form of a project management office or a with a full-time senior
manager and support staff, a si
accountability is imperative for success.
6. Operations take a backseat to technology. When the BCP is a

technical project rather than a business wide initiative, it becomes
confused with a disaster recovery plan (DRP). Technologists hired
as experts for DRPs often do not understand the spirit and risks
involved in managing a business-and such an understanding is
imperative when designing a BCP.
When developing a BCP, the placement of technology first results

in an ineffective plan. The plan will address technology issues but
neglect human resources-related and business process-related
mattersInformation
that are crucialin to
Technology operating
Financial Services as close to normal as
possible when business is interrupted. Business unit management
must be directly and actively involved with the BCP in order to
protect their franchises from events that threaten the, business,
not just the business technologies.
7. No clear leadership structure or management contingency plans.

Just as a BCP relies on the redundancy of data collection, the
skills and knowledge of the staff must also get backed up. A
clearly defined responsibility structure must be developed and
implemented. This includes active and detailed cross-training
programs for all critical executive positions, including the director
of business continuity planning. While centrally managing the
common infrastructure and enterprise wide coordination of the
BCP, organizations must also distribute business-related
continuity responsibilities to the departmental or unit levels to
assure a redundancy of knowledge and response.
8. Rash cost-reduction campaigns that eliminate the BCP. In today's

economic recovery, an organization is cutting expenses and
looking to bolster its bottom line. Typically, the first places to
look for rightsizing are support services or overhead units. By
definition, BCP is not a revenue producing area. At best, the most
progressive organizations view it as revenue protection.
Therefore, companies forced to shed expenses often slash
funding for BCP initiatives. These companies are gambling that
the financial gains of cutting overheads outweigh the heightened
risk of not having the protection, at least for the short term.
international In the wake of globalization and network economy, electronic financial

Standards of transactions (EFT) have become common and a
necessity. The changing IT Security face of business and commerce
has increased the dependence on technology and networks.
Consequently the need for making and keeping them secure has also
increased many folds. Business partners may be located in different
parts of the world and therefore it is important to have common rules
and standards of data and systems security. Use of standards-
compliant security provides the best assurance of high quality, strong
security for IT infrastructure, conforming to legal requirements and
standards of due care. Few organizations responsible for setting
security stands for the world include： ANSI (American National
Standards Institute), ISO/IEC (International Standards Organization /
International Electro-technical Commission) etc. Some international
security standards are discussed below.
ISO/IEC 27001
Information Security Management System (ISMS)
ISO/IEC 27001,a part of the growing ISO/IEC 27000 family of standards, is an

Information Security Management System (ISMS) standard published in October 2005
by the International Organization for Standardization (ISOi
ISO/IEC 27001 formally specifies a management system that is intended to bring

information security under explicit management control. Being a formal specification
means that it mandates specific requirements. Organizations that claim to have
adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with
the standard.
ISO/IEC 27001 aims to ensure that adequate controls addressiny confidentiality,

integrity and availability of information are in place safeguard the information of
interested parties. These include customers, employees, trading partners and the
needs of society in general-
unprotected systems are vulnerable to all kinds of threats, such as computer-

assisted fraud, sabotage and viruses. These threats can be internal external, and
both accidental or malicious. Breaches in information secu can allow vital
information to be accessed, stolen, corrupted or lost information security
management system compliant to ISO/IEC 27001 help demonstrate to trading
partners and customers alike that the orgarf takes information security seriously.
ISO/IEC 27001 requires that management：

A. Systematically examine the organization's information security taking
account of the threats, vulnerabilities and impacts；
B. Design and implement a coherent and comprehensive suite information
security controls and/or other forms of risk treatnr (such as risk avoidance or
risk transfer) to address those risks that deemed unacceptable； and
C. Adopt an overarching management process to ensure that information
security controls continue to meet the organizaf information security needs on
an ongoing basis.
Accredited certification to ISO/IEC 27001 is a powerful demonstration at

organization's commitment in managing information security and can a
competitive advantage.
PCI Security Standards Organization
The PCI DSS (Payment Card Industry Data Security Standard), a set comprehensive
requirements for enhancing payment account data was developed by the founding
payment brands of the PCI Security St Council, including American Express,
Discover Financial Services International, MasterCard Worldwide and Visa Inc. Inc.
International, to facilitate the broad adoption of consistent data security measures
global basis.
The PCI DSS is a multifaceted security standard that includes requir for security
management, policies, procedures, network architecture,c design and other
critical protective measures. This comprehensive s
is intended to help organizations proactively protect customer account data.
The PCI Security Standards Council is responsible to enhance the PCI DSS as needed
to ensure that the standard includes any new or modified requirements necessary to
mitigate emerging payment security risks, while continuing to foster wide-scale
adoption.
To be PCI complaint, companies must fulfill 12 requirements for best security practices
including the use of a firewall between wireless network and their cardholder data
environment, use of latest security and authentication such as WPA/WPA2, and to use
a network intrusion detection system.
Risk Management & Mitigation

Risk is the potential harm that may arise from some current process or from some
future event.
Risk is present in every aspect of our lives and many different disciplines focus on risk
as it applies to them. From the IT security perspective, risk management is the process
of understanding and responding to factors that may lead to a failure in the
confidentiality, integrity or availability of an information system/IT infrastructure. IT
security risk is the harm to a process or the related information resulting from some
purposeful or accidental event that negatively impacts the process or the related
information.
Managing IT risk is part of running any business these days. Regardless of the
business, understanding IT risk helps increase network security, reduce management
costs and achieve greater compliance posture.
Failure to identify, assess and mitigate IT risk sets the business up for serious security
breaches and financial losses down the road. And those that think managing IT risk is
the job solely of the IT staff are in for a big shock.
Companies make considerable investments in people, processes and technology to

ensure their businesses run smoothly. Understanding the relationships and levels of
risk among these vital assets is imperative if businesses want to increase network
security, streamline compliance and reduce overall IT costs. The challenge for most
companies is to identify a repeatable process to identify, assess and remediate IT risk
without interrupting their business activities.
Today's IT risk environment is more threatened than ever thanks to the growth in
sophisticated malware attacks and security vulnerabilities, with Web 2.0 (the new
generation of Internet with more powers to users) adoption adding new layers of IT
risk. Regulations continue to increase, placing additional costs on organizations to
meet these new requirements. Organizations need an intelligent approach when it
comes to assessing IT risk and managing compliance. IT risk can be defined as any
threat to the information technology, data, critical systems and business processes.
Management has a responsibility to identify areas of control weakness and respond in

a timely fashion to these by improving processes, augmenting controls and even
reducing the cycle time between control testing to ensure that the organization is
properly identifying and respondinato IT risks.

However, labor and cost constraints mean that organizations can't mitigate all risks
simultaneously. There is always some degree of residual risk (risk that remains after all
efforts), either unidentified or known but unmitigated. The problem is that many
organizations don't understand that managing their IT risk - from the shop floor to
the boardroom - is critical to business success. The inherent risks in IT show up in
complex and subtle ways making IT risk management a difficult concept to
communicate and manage effectively.
By aggregating and reporting on the impact of security risks within IT and

understanding how these risks impact the business, security professionals can become
an integral part of business decision-making process and heipi guide the organization
to a more risk-aware culture.
According to a 2009 survey of 280 audit committee members conductei by KPMG, IT

risk is a key area of concern. Alarmingly, 45 percent said they are only somewhat
satisfied with their oversight of IT risk, and 42 pero said they are only somewhat
satisfied with the quality of information l! receive on IT risks. This shows a significant
gap in the communication risks between executive management and IT function.
It's critical to the IT risk management process that executives are inf of threats and
assist in assessing the business impact these risks pose, sign off on the risk position.
Only when the IT and executives are al in the identification, assessment and
remediation of IT risk can a co achieve higher levels of security and compliance.
Why Is It Important to Manage Risk?

The principle reason for managing risk in an organization is to protect mission and
assets of the organization. Therefore, risk management be a management function
rather than a technical function.
It is vital to manage risks to systems. Understanding risk, and in understanding the

specific risks to a system allow the system o protect the information system
commensurate with its value ta organization. The fact is that all organizations have
limited resources risk can never be reduced to zero. So, understanding risk, especia_
magnitude of the risk, allows organizations to prioritize scarce r
How Is Risk Assessed?

Risk is assessed by identifying threats and vulnerabilities, then deti the
likelihood and impact for each risk. Unfortunately risk assess complex
undertaking, usually based on imperfect information, many methodologies
aimed at allowing risk assessment to be r and give consistent results. In
general risks assessment methods divided into the following two types：
Quantitative Risk Assessment

Quantitative risk assessment draws upon methodologies used by institutions
and insurance companies. By assigning values to inf systems, business
processes, recovery costs, etc., impact, and risk, can be measured in terms of
direct and indirect costs.
While utilizing quantitative risk assessment seems straightforward and logical, there are
issues with using this approach with information systems. While the cost of a system
may be easy to define, the indirect costs, such as value of the information, lost
production activity and the cost to recover is imperfectly known at best. Moreover, the
other major element of risk, likelihood (or probability of occurrence), is often even less
perfectly known. For example, what is the likelihood that someone will use social
engineering to gain access to a user account on the accounting system?
Qualitative Risk Assessment

Qualitative risk assessments assume that there is already a great degree of uncertainty
in the likelihood and impact values and defines them, and thus risks, in somewhat
subjective or qualitative terms. Similar to the issues in quantitative risk assessment, the
great difficulty in qualitative risk assessment is defining the likelihood and impact
values. Moreover, these values need to be defined in a manner that allows the same
scales to be consistently used across multiple risk assessments.
The results of qualitative risk assessments are inherently more difficult to concisely
communicate to management. Qualitative risk assessments typically give risk results of
"High", "Moderate" and "Low". However, by providing the impact and likelihood
definition tables and the description of the impact, it is possible to adequately
communicate the assessment to the organization's management.
Some Common Risk Assessment/Management Methodologies

There are numerous risk assessment/management methodologies and tools. The
following methodologies are the major ones for managing risks in information
systems：
National Institute of Standards & Technology (NIST) Methodology

NIST methodology is the US Federal Government's standard. This methodology is
primarily designed to be qualitative and is based upon skilled security analysts working
with system owners and technical experts to thoroughly identify, evaluate and manage
risk in IT systems. The process is extremely comprehensive, covering everything from
threat-source identification to ongoing evaluation and assessment. The NIST
methodology consists of 9 steps.
OCTAVE®
The Software Engineering Institute (SEI) at Carnegie Mellon University developed the
Operationally Critical, Threat, Asset and Vulnerability Evaluation (OCTAVE) process. The
main goal in developing OCTAVE is to help organizations improve their ability to
manage and protect themselves from information security risks. OCTAVE is workshop-
based rather than tool based. This means that rather than including extensive security
expertise in a tool, the participants in the risk assessment need to understand the risk
and its components. The workshop-based approach espouses the principle that the
organization will understand the risk better than a tool and that the decisions will be
made by the organization rather than by a tool.
FRAP
FRAP is The Facilitated Risk Assessment Process. It is based upon implementing risk
management techniques in a highly cost-effective way. FRAP uses formal qualitative
risk analysis methodologies using Vulnerability Analysis, Hazard Impact Analysis, Threat
Analysis and Questionnaires. Moreover, FRAP stresses pre-screening systems and only
performing formal risk assessments on systems when warranted. Lastly, FRAP ties risk
to impact using the Business Impact Analysis as a basis for determining impact.
COBRA
The Consultative, Objective and Bi-functional Risk Analysis (COBRA takes the approach
that risk assessment is a business issue rather than a technical issue. It consists of
tools that can be purchased and then utilized to perform self-assessments of risk,
while drawing on the expert knowledge embedded in the tools.
Risk Mitigation Strategies

Mitigation is the most commonly considered risk management strategy. Mitigation
involves fixing the flaw or providing some type of compensatory control to reduce the
likelihood or impact associated with the flaw. For example, a common mitigation for a

software security flaw is to install a patch provided by the vendor.
Transference
Transference is the process of allowing another party to accept the risk or the
company's behalf. This is common in personal lives also. Car, health and life insurance
are all ways to transfer risk. In these cases, risk is transferred from the individual to the
insurance company. Note that this does not decrease the risk likelihood or fix any
flaws, but it does reduce the overall impact (primarily financial) on the organization.
Acceptance
Acceptance is the practice of simply allowing the system to operate wiii a known risk.
Many low risks are simply accepted. Risks that have an extremely high cost to mitigate
are also often accepted. IT managers n»s3 ensure that this strategy is in writing and
accepted / signed by the manager(s) making the decision. Often risks are accepted
that should have been accepted, and then when the penetration occurs, the IT s
personnel are held responsible. Typically, business managers, not IT s personnel, are
the ones authorized to accept risk on behalf of an organi
Avoidance
Avoidance is the practice of removing the vulnerable aspect of the s or even the
system itself at times. The idea is to avoid the risk by elimi the risk cause and/or
consequence e.g., forgo certain functions of system or shut down the system
when risks are identified. Another ex can be of a project where the team
changes the project plan to elir the risk or to protect the project objectives from
its impact. The team achieve this by changing scope, adding time, or adding
resources.
and Risk Mitigation 242

Professionalism and IT plays a pivotal role in making information available to anyone, anywhere, and
Ethical Standards anytime. IT is a gateway to information； however, the gateway is controlled
and managed by people. Therefore, proper management of information
depends upon how IT and human resources are managed. Every business is engaged
in exchanging goods and services and employing human resources in the process.
Business on the Internet and in IT are no different in this respect from other non-IT
based business settings. Both face the same ethical problems and share the same
ethical difficulties. Nonetheless, special IT ethical problems arise in e-business. One
important consideration about IT in addition to whether or not it benefits
organizations economically is how it is transforming the social domain, specifically the
ethical dimension.
Ethical dilemmas usually arise from a clash between competing goals, responsibilities,
and loyalties. Since information technology is ever evolving and can be devious in
unanticipated ways, the definition of ethics in regard to IT continues to develop. New
technology creates a new condition leading to revised ethics policy.
Since information is generated by processing data, information management begins

with managing data. This includes why, what, and how data are collected, how data
are processed and stored, and eventually how they are used. An ethical attitude is
critical. Many IT jobs were once purely technical, sheltered in the back room. Because
of collaborative business and the pervasiveness of IT those roles are now far broader
than imagined 10 or 20 years ago. One of the key dimensions in using IT is
understanding its ethical implications. Examples of questionable IT use include copying
software without proper license and searching organizational databases for sensitive
information without authority. Outright criminal behavior includes knowingly collecting,
buying, and selling inaccurate information, creating viruses to disrupt computing
services, hacking into computers to steal information, and intentionally destroying
computing resources and data.
Businesses collect data for a variety of reasons-for marketing forecasts and user
preferences, for measuring user satisfaction, for measuring employee performance, and
so on. In most instances, individual consent is required before collecting the data,
while providing the reasons for doing so. The data collected should be relevant to
these reasons and should not violate anyone's privacy. How data are collected needs
closer attention, individual consent is a prerequisite. People should know if and how
they are being observed to obtain information.
Transforming data into information is the next critical process since it directly affects
the accuracy of information. Compromising accuracy in processing data is unethical.
How and where data are stored requires special attention since data need protection
from unauthorized access. Finally, how data are used and presented is extremely
important. As with collection, data should be used only for the intended purpose. For
example, a lender using data to determine a credit rating should interpret the
information accurately and assess it carefully. Carelessness may hurt either the
borrower or the lender.
The key to building an ethical environment in information-driven organizations is

proper management of information technology. Establishing proper firewalls to protect
data should be viewed as an important obligation that

protects the right of people to have their information secure.-
investment, not just another expense. An ethical dilemma is ereニ•
management tries to minimize expenses on one hand and protect'
privacy on the other. This is not new； organizations faced dilemma in
the non-IT era as well. For example, in earlier indust businesses were
faced with controlling pollution for the w. society, but to boost profits,
they often took short cuts and c on meeting social goals.
Finally when making organizational IT usage policies following be kept

in mind in addition to technical considerations:
■ Refrain from devising policies that would unnecessary of

interests between individuals, organizations or comm, the
concept of common good supreme.
■ Safeguard the interests of stakeholders consistent /community
interests
■ Policies must be consistent with the laws of the land, t unwise
to ignore the legal context in which the organize
■ Must honor privacy and dignity of human values and Iけi
Summary IT security generally consists in ensuring that an organization's

and software resources are used only for the intended purposes*
generally is comprised of five main goals： Integrity, Confidentiaitw,
Non-repudiation, Authentication and Authorization. It is easy to.
mechanism of authentication with that of authorization. At™1 the
mechanism whereby systems may securely identify Authorization, by
contrast, is the mechanism by which a systerr what level of access a
particular authenticated user should h: resources controlled by the
system. Organizations today opera:そ global multi-enterprise
environment consequently the role :r technology (IT) control and audit
has become critical. An" Technology audit is an examination of the
checks and balances^ within an information technology (IT)
g「o叩/department/fur 一 are a critical component of the regulatory
compliance process IT governance framework and supporting toolset
that allows bridge the gap between control requirements, technical
issues risks. ITIL is the most widely adopted approach for IT Service in
the world. It provides a practical framework for identゾ ' delivering and
supporting IT services to the business. Busi refers to the activities
required to keep an organization n period of displacement or
interruption of normal operatram potential harm that may arise from
some current process or future event. Managing IT risk is part of
running any business Regardless of the business, understanding IT risk
helps i security, reduce management costs and achieve greater c The
principle reason for managing risk in an organization >s mission and
assets of the organization. Therefore, risk mar be a management
function rather than a technical functtom. risks assessment methods
may be divided into the folio quantitative and qualitative. Mitigation is
the most com risk management strategy. Various mitigation techniques
are Acceptance and Avoidance.
T Security and Risk Mitigation 244

This chapter is developed using resources available at following non exhaustive list
of URLs：
Reference http://www.duke.edu/~rob/kerberos/authvauth.html
Links
http://www.sans.org/reading_room/whitepapers/recovery/introduction-
business-continuity-planning_559
http://www.publicsafety.gc.ca/prg/em/gds/bcp-eng.aspx
http://www.altalsec.com/lnternational_Security_Standards.php

Part 10: IT Laws in Pakistan /
Regulatory Framework
In this part ETO - Electronic Transactions Ordinance Cyber
Crime Ordinance Emerging card global
standards State Bank penalties against non-
compliance
Information Technology in Financial!

!!!!^ _________ ITLaws in Pakistan / Regulatory
Framework
■ Recall the basics of 'Electronic Transactions Ordinances'
■ Recall the basics of cyber crime ordinance
■ Differentiate the various degrees of criminal offenses
* Define emerging card global standards e.g. EMV and PCI/DSS
■ Identify the State Bank penalties against non-compliance
Cyber Crime Cyber crime generally refers to criminal activity where a computer or
network is the source, tool, target, or place of a crime. These
categories are not exclusive and many activities can be characterized as
falling within one or more. Additionally, although the terms "computer
crime" and "cyber c「ime〃 are more properly restricted to describing
criminal activity in which the computer or network is a necessary part
of the crime, these terms are also sometimes used to include
traditional crimes, such as fraud, theft, blackmail, forgery, and
embezzlement, in which computers or networks are used. As the use of
computers has grown, computer crime has become a more important
and discussed issue in terms of its consequences and solutions：
Computer crime may include illegal access (unauthorized access), illegal

interception (by technical means of non-public transmissions of
computer data to, from or within a computer system), data interference
(unauthorized damaging, deletion, deterioration, alteration or
suppression of computer data), systems interference (interfering with
the functioning of a computer system by inputting, transmitting,
damaging, deleting, deteriorating, altering or suppressing computer
data), misuse of devices, forgery (ID theft), and electronic fraud, etc.
With the widespread use of computers, e-commerce and especially

networks and the Internet, it became necessary to form laws governing
the use of computer systems and frame polices and rules for their use.
"Cyber laws" or "Internet laws" are terms that encapsulate the legal
issues related to the use of communicative, transactional, and
distributive aspects of networked information devices and technologies.
Various laws in this category enforced in Pakistan include： The

Electronic Transaction Act, 1996； Electronic Transaction Ordinance,
2002； The Payment Systems and Electronic Fund Transfers Act,
2007； Prevention of Electronic Crimes Ordinance, Pakistan 2007；
Prevention of Electronic Crimes Ordinance, Pakistan 2008.
These are the laws under which communications, transactions,

information, records, and documents in electronic form are governed
over the Internet and to give accreditation to the electronic
transactions, information, records, communication and transactions as
valid pieces of evidence in correspondence.

The offences under these laws are non-bailable. Some salient features
of these laws are discussed in this chapter.
Prevention of Similar to the Prevention of Electronic Crimes Ordinance, 2007, the

Electronic Crimes 2008 Ordinance was promulgated by the President of Pakistan. The
Ordinance, 2008 Prevention of Electronic Crimes Ordinance, 2008 extends to the whole
of Pakistan and applies to every person who commits an offence
under the said Ordinance irrespective of their nationality or citizenship
whatsoever or in any piace outside or inside Pakistan, having
detrimental effect on the security of Pakistan or its nationals, or
national harmony, or any property, or any electronic system or data
located in Pakistan, or any electronic system or data capable of being
connected, sent to, used by or with any electronic system in Pakistan.
The 2008 Qrdiaaace qives exclusive po\Nets to the federal

Icwestiqatiou Agency (FIA) of Pakistan to investigate and charge cases
against such crimes. Excessive powers given to FIA have been criticized
by certain quarters of civil society and human rights activists.
The Ordinance covers provision for illegal and criminal acts such as
data access, data damage, system damage, electronic fraud, electronic
forgery, spamming, spoofing, cyber terrorism, etc.
Punishments under this Ordinance range from two years to the death
penalty. Selected offences and punishments according to this
Ordinance are mentioned below：
Criminal access:
Whoever intentionally gains unauthorized access to the whole or any
part of an electronic system or electronic device with or without
infringing security measures, shall be punished with imprisonment of
either descriptkai for a term which may extend to two years, or with a
fine not exceeding three hundred thousand rupees, or with both.
Criminal data access：

Whoever intentionally causes any electronic system or electronic
device Hi1 perform any function for the purpose of gaining
unauthorized access to data held in any electronic system or electronic
device, or on obtair: such unauthorized access, shall be punished with
imprisonment of eT* description for a term which may extend to three
years, or with a fine; with both.
Data damage：
Whoever with intent to iWegaWv gain or cause harm to the public <nj
person, damages any data shall be punished with imprisonment d
description tor a term which may extend to three years, or with a with
both.
Electronic fraud:
Whoever for wrongful gain interferes with or uses any
data^ svs\em ov e\ec\Ton\c dev'\ce ot \nduces auv
petson to entet into a: or with intent to deceive any person,
which act or omi ' cause damage or harm to that person or
any other person, with imprisonment of either description
for a term which
IT Laws in Pakistan / Regulatory Framework 248

seven years, or with a fine, or with both.
Electronic forgery：
Whoever for wrongful gain interferes with data, electronic system or
electronic device, with intent to cause damage or injury to the public
or to any person, or to make any illegal claim or title or to cause any
person to part with property or to enter into any express or implied
contract, or with intent to commit fraud by any input, alteration,
deletion, or suppression of data, resulting in unauthentic data with
the intent that it be considered or acted upon for legal purposes as if
it were authentic, regardless of the fact that the data is directly
readable and intelligible or not, shall be punished with imprisonment
for a term which may extend to seven years, or with a fine, or with
both.
Malicious code:
Whoever willfully writes, offers, makes available, distributes or
transmits malicious code through an electronic system or electronic
device, with intent to cause harm to any electronic system or resulting
in the incorporation, distribution, alteration, suppression, theft or loss
of data commits the offence of malicious code. Provided that the
provision of this section shall not apply to the authorized testing,
research and development or protection of an electronic system for
any lawful purpose. Whoever commits the offence shall be punished
with imprisonment of either description for a term which may extend
to five years, or with a fine, or with both.
Spamming:
Whoever transmits harmful, fraudulent, misleading, illegal or
unsolicited electronic messages in bulk to any person without the
express permission of the recipient, or causes any electronic system to
show any such message or is involved in falsified online user account
registration or falsified domain name registration for commercial
purpose commits the offence of spamming.
Spoofing:
Whoever establishes a website, or sends an electronic message with a
counterfeit source intended to be believed by the recipient or visitor
or its electronic system to be an authentic source with intent to gain unauthorized
access or obtain valuable information which later can be used for any
lawful purposes commits the offence of spoofing.
Electronic The approval and subsequent enforcement of the Electronic

Transaction Transaction Ordinance (ETO) in the country in 2002 paved the way for
Ordinance, 2002 Pakistan to compete in the electronic commerce arena. Such
ordinances are considered an essential prerequisite for e-commerce
growth in any country and termed as essential for IT development
resulting in greater economic stability.
With e-commerce flourishing at a fast pace in the developed world

and at a reasonably fast pace in Pakistan, it is expected that a large
number of all business-to-business transactions will be carried out
electronically in the future. In fact, this is already happening now.
Small and medium-sized business enterprises are expected to be the
major beneficiaries as the costs of transactions are greatly reduced
when carried out electronically over the Internet.
IT Laws in Pakistan / Regulatory Framework

M
International business partners used to be skeptical when doing
business with Pakistani firms as there were no laws in place in this
area. However, trading can now take place legally and safely as the
necessary laws to protect the interests of both the buyers and the
sellers in the process o* electronic sales and purchases have been
included in the Electronic Transactior Ordinance.
The Pakistan Government passed the Electronic Transaction Ordinance

2001 (ETO) with the objective of recognizing and facilitating
documents, records information, communications and transactions in
electronic form, and to provide for the accreditation of certification
service providers. Now, electroric information and communication,
along with appropriate procedures, have legal backing like any written
and signed documents. With ETO in place, Pakistan has joined an
exclusive band of countries that provide the necessary framework and
an impetus for growth of electronic commerce in Pakistan
Chapter 2 of the 2002 Ordinance, titled "Recognition and

PresumptiOT*^ presents the most important points. Selections of
extracts from this Ordinans are reviewed below：
The law states the "Legal recognition of electronic form" saying that m
document, record, information communication or transaction will be
deniei legal recognition, admissibility, validity, proof or enforceability
on tic grounds that it is in electronic form and has not been attested b\
am| witness.
The section on the "Requirements for writing〃 mentions that the

requir under any law for any document, record, information,
communication transaction to be in written form shall be deemed
satisfied where document, record, information, communication or
transaction is in el form, provided the same is accessible so as to be
usable for subs reference.
In terms of the "Requirement of retention", the law states that requirement

under any law that a certain document, record, inform^
communication or transaction be retained shall be deemed satisfy
retaining it in electronic form if the contents of the document.
information, communication or transaction remain accessible so as
usable for subsequent reference'
The law also provides legal recognition of electronic signatures

by that "the requirement under any law for affixation of
signatures deemed satisfied where electronic signatures or
advanced el signatures are applied".
Chapter 8 of the Electronic Transaction Ordinance of 2002 lists the

and their punishments. Some offences, their descriptions and
punishf as given in the Ordinance, are reproduced below：
Provision of false information by the subscriber

Any subscriber who provides information to a certification
service - knowing such information to be false or not believing
it to be c the best of his knowledge and belief or fails to bring
promptff knowledge of the certification service provider any
change in cir
as a consequence whereof any information contained in a certificate

accepted by the subscriber or authorized by him for publication or
reliance by any person, ceases to be accurate or becomes misleading,
or knowingly causes or allows a certificate or his electronic signatures
to be used in any fraudulent or unlawful manner, shall be guilty of an
offence under this Ordinance.
The offender shall be punishable with imprisonment of a term not

exceeding seven years, or with a fine which may extend to ten million
rupees, or with both.
Issue of false certificate

Every director, secretary and other responsible officer, by whatever
designation called, connected with the management of the affairs of a
certification service provider, which：
(a) issues, publishes or acknowledges a certificate containing false or
misleading information；
(b) fails to revoke or suspend a certificate after acquiring knowledge
that any information contained therein has become false or
misleading；
(c) fails to revoke or suspend a certificate in circumstances where it
ought reasonably to have been known that any information contained
in the certificate is false or misleading；
(d) issues a certificate as accredited certification service provider while
its accreditation is suspended or revoked； shall be guilty of an
The offence described above shall be punishable with imprisonment

of a term not exceeding seven years, or with a fine which may extend
to ten million rupees, or with both.
Violation of privacy of information

Any person who gains or attempts to gain access to any information
system with or without intent to acquire the information contained
therein or to gain knowledge of such information, whether or not he
is aware of the nature or contents of such information, when he is not
authorized to gain access, as aforesaid, shall be guilty of an offence
under this Ordinance, punishable with imprisonment of a term not
exceeding seven years, or a fine which may extend to one million
rupees, or with both.
Damage to information system, etc.

Any person who does or attempts to do any act with intent to alter,
modify, delete, remove, generate, transmit or store any information
through or in any information system knowingly that he is not
authorized to do any of the foregoing, shall be guilty of an offence
under this Ordinance.
Also any person who does or attempts to do any act with intent to
impair the operation of, or prevent or hinder access to, any
丨nformation contained in any information system, knowingly that he
is not authorized to do any of the foregoing, shall be guilty of an
The offences described above will be punishable with imprisonment

of a term not exceeding seven years, or a fine which may extend to
one million rupees, or with both.

Standards are vital if the technology or any application of it is to
Card Global Standards becom e truly global and wide spread. The same can be said about
payment cards. Different countries or regions initially developed their
own standards to be applicable in specific regions. However, with
globalization in general, a need arose to devise standards that could
be world-wide in application, so that financial transactions can be
performed securely and efficiently anywhere in the world.
Payment card industry standards are developed and managed by the

PCI Security Standards Council (SSC). The Council comprises five
global payment brands： American Express, Discover Financial
Services, JCB International, MasterCard Worldwide and Visa. The
individual payment brands, not the Council, enforce compliance and
determine non-compliance penalties.
The first standard for payment cards was the Carte Bancaire standard
deployed in France in 1989. Geldkarte in Germany also predates EMV.
EMV was designed to allow cards and terminals to be backwardly
compatible with these standards.
Carte Bancaire is a French term. The closest English language

translation would be "bank card". Carte Bancaire (CB) can be a debit
card, a credit card or a stored value card. It can be used in thousands
of locations (businesses ATMs, Internet, etc) where the CB logo is
displayed. All the cards in France operate on a smart card basis ('chip
and pin'), through the use of a microchip embedded in the card,
rather than a magnetic strip. This is now becoming standard across
Europe, but France was the first country to adopt the system.
Geldkarte is a stored value card or electronic cash system used in

Germarri- It operates as an offline smart card for small payments at
things like vending machines and to pay for public transport or
parking tickets. The card is prepaid and funds are loaded onto the
card using ATMs or dedicated charginf machines.
Here we discuss the two most widely used standards： Europay

MasterCani Visa (EMV) and Payment Card Industry Data Security
Standard (PCI
Europay MasterCard Visa (EMV)

EMV stands for Europay, MasterCard and VISA, a global standard
for' operation of integrated circuit cards (IC cards or "chip cards")
and IC capable point of sale (POS) terminals and automated teller
machines i A, for authenticating credit and debit card
transactions. It is a joint c between Europay, MasterCard and Visa
to ensure security and interoperability so that Visa and
MasterCard cards can continue ts accepted everywhere.
EMVCo is a public company that manages, maintains and

enhances Integrated Circuit Card Specifications Standards.
EMVCo's main activities are to：

■ Ensure the compatibility and acceptance of chip cards
■ Develop an internationally recognized standard for chip-
based processing.
■ Test and approve processes that evaluate compliance wiih
standards.

The EMV standards define the interaction at the physical, electrical,
data and application levels between 1C cards and 1C card processing
devices for financial transactions. There are standards based on
ISO/IEC 7816 for contact cards, and standards based on ISO/IEC
14443 for contactless cards.
ISO/IEC 7816 is a multi-part international standard broken into

fourteen parts. ISO/IEC 7816 Parts 1,2 and 3 deal only with contact
smart cards and define the various aspects of the card and its
interfaces, including the card's physical dimensions, the electrical
interface and the communications protocols. ISO/IEC 7816 Parts 4, 5,
6, 8, 9,11,13 and 15 are relevant to all types of smart cards (contact as
well as contactless). They define the card logical structure (files and
data elements), various commands used by the application
programming interface for basic use, application management,
biometric verification, cryptographic services and application naming.
ISO/IEC 7816 Part 10 is used by memory cards for applications such
as pre-paid telephone cards or vending machines. ISO/IEC 7816 Part 7
defines a secure relational database approach for smart cards based
on the SQL interfaces.
ISO/IEC 14443 is an international standard that defines the interfaces

to a "close proximity" contactless smart card, including the radio
frequency (RF) interface, the electrical interface, and the
communications and anti-collision protocols. ISO/IEC 14443 compliant
cards operate at 13.56 MHz and have an operational range of up to
10 centimeters (3.94 inches). ISO/IEC 14443 is the primary contactless
smart card standard being used for transit, financial, and access
control applications. It is also used in electronic passports and in the
FIPS 201 PIV card.
As already stated, the purpose and goal of the EMV standard is to

specify interoperability between EMV compliant IC cards and EMV
compliant credit card payment terminals throughout the world. There
are two major benefits to moving to smart card-based credit card
payment systems： improved security (with associated fraud
reduction), and the possibility for finer control of "offline" credit card
transaction approvals. One of the original goals of EMV was to allow
for multiple applications to be held on one card： for instance, a credit
and debit card application or an e-purse.
EMV chip card transactions improve security against fraud compared

to magnetic stripe card transactions that rely on the holder's
signature and visual inspection of the card. The use of a PIN and
cryptographic algorithms provide authentication of the card to the
processing terminal and the card issuer's host system. The processing
time is comparable to online transactions, in which communications
delay accounts for the majority of the time, while cryptographic
operations take comparatively less time. The supposed increased
protection from fraud has allowed banks and credit card issuers to
push through a 'liability shift' such that merchants are now liable for
any fraud that results from transactions on systems that are not EMV
capable. For transactions in which an EMV card is used, the
cardholder is assumed to be liable unless they can unquestionably
prove they were not present for the transaction, did not authorize the
transaction, and did not inadvertently assist the transaction through
PIN disclosure.
How Do EMV Standards Affect Businesses?
The introduction of EMV standards brings many changes that affect
merchants
IT Laws in Pakistan / Regulatory Framework

around the world.
■ EMV standards improve the customer experience. Customer information is protected by

cryptographic algorithms, providing improved security between chip cards and chip-
reading terminals during transactions.
■ EMV standards can save you money. Since these standards improve the security of
transactions, transactions that follow EMV standards can be subject to lower payment
processing fees.
■ EMV standards reduce businesses' liability for fraudulent activity from lost or stolen
payment cards. Notably, as of 2010, merchants without EN\V-compliant devices are
fully liable for the cost of credit card fraud directed at their business.
• EMV standards allow merchants to process international payment cards securely and
efficiently.
What is the difference between EMV and PCI DSS?

EMVCo cooperates with other organizations to ensure a common interpretation of EMV
standards. It also ensures that the standards are integrated with other security standards,
like PCI DSS. However, EMV standards and PCI DSS are not the same thing.
_ EMV standards define the physical and electronic requirements for cfafl cards. Its focus is
limited to the physical card, and not the cardholdei data associated with it.
■ PCI DSS focuses on the security of the cardholder data once a transacti_| has been
initiated. This includes the data that is stored, processed or transmitted, and can include
multiple parties such as merchants,! providers or data storage entities.
Payment Card Industry Data Security Standard (PCIDSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a accepted set of policies
and procedures intended to optimize the of credit, debit and cash card transactions and
protect cardholders. misuse of their personal information. The PCI DSS was created joi.oOf j
2004 by four major credit card companies： Visa, MasterCard, Discover . American Express.
The PCI DSS specifies and elaborates on six major objectives.

First, a secure network must be maintained in which transactions ^ conducted. This
requirement involves the use of firewalls that are enough to be effective without
causing undue inconvenience to carc or vendors. Specialized firewalls are available
for wireless LANs since! are highly vulnerable to eavesdropping and attacks by
malicious In addition, authentication data such as personal identification (PINs) and
passwords must not involve defaults supplied by the' Customers should be able to
conveniently and frequently change:
Second, cardholder information must be protected wherever it is: Repositories with

vital data such as dates of birth, mothers' maiden i Social Security numbers, phone
numbers and mailing addresses:
secure against hacking. When cardholder data is transmitted through
public networks, that data must be encrypted in an effective way.
Digital encryption is important in all forms of credit card transactions,
but particularly in e- commerce conducted on the Internet.
Information
Third, systems should Technology
be protected in Financial
against the Services
activities of malicious
hackers by using frequently updated anti-virus software, anti-spyware
programs, and other anti-malware solutions. All applications should
be free of bugs and vulnerabilities that might open the door to
exploits in which cardholder data could be stolen or altered. Patches
offered by software and operating system (OS) vendors should be
regularly installed to ensure the highest possible level of vulnerability
management.
Fourth, access to system information and operations should be

restricted and controlled. Cardholders should not have to provide
information to businesses unless those businesses believe that the
information is necessary to effectively carry out a transaction. Every
person who uses a computer in the system must be assigned a
unique and confidential identification name or number. Cardholder
data should be protected physically as well as electronically. Examples
include the use of document shredders, avoidance of unnecessary
paper document duplication, and locks and chains on dumpsters to
discourage criminals who would otherwise rummage through the
trash.
Fifth, networks must be constantly monitored and regularly tested to

ensure that all security measures and processes are in place, are
functioning properly, and are kept up-do-date. For example, anti-virus
and anti-spyware programs should be provided with the latest
definitions and signatures. These programs should scan all exchanged
data, all applications, all random- access memory (RAM) and all
storage media frequently if not continuously.
Sixth, a formal information security policy must be defined,

maintained, and followed at all times and by all participating entities.
Enforcement measures such as audits and penalties for non-
compliance may be necessary.
Summary Cyber crime generally refers to criminal activity where a computer or

network is the source, tool, target, or place of a crime. Computer
crimes may include illegal, illegal interception, data interference,
systems interference, misuse of devices, forgery and electronic fraud,
etc. Various laws in this category enforced in Pakistan include：
Electronic Transaction Ordinance, 2002； Prevention of Electronic
Crimes Ordinance, Pakistan 2007； Prevention of Electronic Crimes
Ordinance, Pakistan 2008, etc.
Prevention of Electronic Crimes Ordinance 2008 covers provision for

illegal and criminal acts such as data access, data damage, system
damage, electronic fraud, electronic forgery, spamming, spoofing,
cyber terrorism, etc. Punishments under this Ordinance range from
two years to the death penalty.
Electronic Transaction Ordinance 2002 (ETO) was passed with the

objective of recognizing and facilitating documents, records,
information,
• communications and transactions in electronic form, and to provide
for the accreditation of certification service providers.
After ETO, electronic information and communication, along with
appropriate procedures, have the same legal backing as any written

and signed document Card global standards are necessary for global
businesses and commerce. The two most widely used standards are
Europay MasterCard Visa (EMV) and Payment Card Industry Data
Security Standard (PCIDSS). EMV standards and PCI DSS are not the
same thing. EMV standards define the physical and electronic
requirements for chip cards. Its focus is limited to the physio card,
and not the cardholder data that is associated with it. PCI DSS
focuses on the security of the cardholder data once a transaction has
been initiated. This includes the data that is stored, processed or
transmitted, and can include multiple parties such as merchants,
service providers or data storage entities.
GLOSSARY
Acceptable use policy A set of rules applied by the owner/manager/administrator of a

(AUP) computer system that restrict the ways in which the system may be used.
Acceptance (of risk) A risk response planning technique that indicates that the management
has decided not to change the project management plan to deal with a
risk, or is unable to identify any other suitable response strategy. A
managerial decision to accept a certain degree of risk, usually for
technical or cost reasons.
ACID test Anti-virus A test a transaction processing system must pass. ACID (atomicity,
consistency, isolation, durability) is a set of properties that guarantee that
transactions are processed reliably.
policy Policy that describes the measures taken by the organization to protect
its systems against viruses, Trojans and other malware. It also describes
the responsibilities of individuals, user departments and IT function to
ensure that the ICT infrastructure is protected by effective anti-virus
systems.
Anti-virus software
Computer software designed to detect, protect and proactively safeguard
computer programs and data against malicious attacks of malware
including viruses, worms etc.
Authentication
The act of confirming the truth of an attribute of a datum or entity. A
process to verify that someone is who they claim they are. This usually
involves a username and a password, but can include any other method
of demonstrating identity, such as a smart card, retina scan, voice
Authorization
recognition, or fingerprints.
Finding out if the person, once identified, is permitted to have access.

The function of specifying access rights to resources, which is related to
information security and computer security in general and to access
Automatic Call
control in particular.
distribution (ACD)
A system that automatically distributes phone calls to a specific group of
Automatic Teller
agent work stations. Such systems are the backbone of any call center.
Machines (ATM)
A computerized telecommunications device that provides the clients of a

financial institution with access to financial transactions in a public place
without the need for a cashier, human clerk or bank teller. ATMs are
Availability
known も by various other names including Cash Point, automatic
banking machine.
Refers to the ability of the user community to access the system, whether
to submit new work, update or alter existing work, or collect the results
of previous work. If a user cannot access the system, it is said to be
unavailable. Generally, the term downtime is used to refer to periods
when a system is unavailable.
Avoidance (of risk) The most effective way of managing risk. It means making a decision not
to enter into a new way of working or new project because of the
inherent risks this would introduce. While this may be a valid decision, it
can be hard to justify.
Backend database A database that is accessed by users indirectly through an external

application rather than by application programming stored within the
database itself or by low level manipulation of the data (e.g. through SQL
commands. It stores data but does not include end-user application
elements such as stored queries, forms or reports.
Backup Backup or the process of backing up is making and keeping copies of

data which may be used to restore the original after a data loss event.
Backup is usually a routine part of the operation of all large and small
businesses and even individual users.
Barcode
Collection of parallel vertical lines of variable thickness and distances
between individual lines representing a unique number identifying a
spedic product. Barcodes are read using barcode readers employing low
power laser.
Biometric ATM
An ATM in which some biometric characteristic of human being like figue
print, is used as a means of authentication. Use of biometric charact is to
reduce the chances of fraud and identity theft.
Bluetooth
A wireless technology that allows computers, phones and other devices
talk to each other over short distances (up to 100 metres). Bluetootn
radio waves and is designed to be a secure and inexpensive waf
connecting and exchanging information between devices without
Branchless banking
A broad concept in which banking services are offered to clients ti variety
of channels including ATMs, Internet, phone, mobile phone through
partnership with other businesses like fuel pumps, chain and telecom
companies.
Broadband
Refers to telecommunication in which a wide band of frequencies
ts to transmit information. Because a wide band of frequencies is
information can be multiplexed and sent on many different freq
channels within the band concurrently, allowing more informatiaai
transmitted in a given amount of time.
Brochureware site A website is a business website that has very infrequently update*:
Often the site has been developed as a direct conversion of exisrrf
promotional materials. The goal of these sites is to build an enwi
that encourages repeat visits through constantly updated c
maintains visitors" interest.
Bus topology The simplest and cheapest network topology that uses a
common to connect all computing devices. A single cable, the
backbone as a shared communication medium that devices
attach or tap an interface cormector.
Planning which identifies the organization's exposure to internal and
Business Continuity
external threats and synthesizes hard and soft assets to provide effective
Planning (BCP) prevention and recovery for the organization, whilst maintaining
competitive advantage and value system integrity. It is also called
Business continuity & Resiliency planning (BCRP).
An essential component of an organization's business continuance plan；

Business Impact
it includes an exploratory component to reveal any vulnerabilities, and a
Analysis (BIA) planning component to develop strategies for minimizing risk. The result
of analysis is a business impact analysis report, which describes the
potential risks and their impacts specific to the organization.
e-commerce model in which the buying, selling, transferring or

Business-to-business
exchanging activity is being performed between two businesses.
(B2B)
Business-to- consumer
exchanging activity is being performed between a business and a
(B2C)
consumer.
Call center
A company maintained or third party facility to provide information and
support to callers calling to report complaints or seeking information.
Generally equipped with state-of-the-art technology to ensure single view
of each customer regardless of location and channel.
Card global
standards Developed and managed by the PCI Security Standards Council (SSC).
Standards are developed to ensure interoperability of IC cards around the
world. Some standards include Carte Bancaire standard deployed in
France and Geldkarte is a Stored-value card or electronic cash system
used in Germany.
Card Verification Value
Code (CVVC) A code that is used for credit or debit card transactions, providing
increased protection against credit card frauds.
Central processing unit
The heart of the computer, this is the component that actually executes
Check 21 instructions that process data.
The Cheque Clearing for the 21st Century Act is a US Federal law that
allows the recipient of the original paper cheque to create a digital
version of the original cheque (called a "Substitute cheque"), thereby
Coaxial wire eliminating the need for further handling of the physical document.
Widely used cable for local area networks. Consist of copper or aluminum
wire wrapped with insulating layer typically of a flexible material with a
COBIT high dielectric constant, all of which are surrounded by a conductive
layer.
A framework created for information technology (IT) management and IT

Governance. It is a supporting toolset that allows managers to bridge the
gap between control requirements, technical issues and business risks. It
enables clear policy development and good practice for IT control
throughout organizations, emphasizes regulatory compliance and helps
organizations to increase the value attained from IT.
Cold site The Consultative, Objective and Bi-functional Risk Analysis takes the
approach that risk assessment is a business issue rather than a
technical issue. It consists of tools that can be purchased and then
utilized to perform self- assessments of risk, while drawing on the
expert knowledge embedded in the tools.
Complaint management The most inexpensive type of backup site for an organization to
system operate. It does not include backed up copies of data and information
from the original location of the organization, nor does it include
hardware already set up. The lack of hardware contributes to the
minimal startup costs of the cold site, but requires additional time
following the disaster to have the operation running at a capacity
close to that prior to the disaster.
Computer Telephony
integration (CTI) The set of processes of how organizations handle, manage, respond to
and report customer complaints. Also known as a conflict management
system, it is a set of procedures used in companies to address
complaints and resolve disputes. Can also refer to a computerized
Consumer-to- consumer system handling complaints.
(C2C)
A set of technologies for integrating and managing computers and
telephone systems. It enables the telephone system to display
information via the computer. A user with a CTI-enabled computer will
be able to dial the telephone, answer the telephone, and hang-up the
Consumer-to- consumer
telephone, all from their computers.
(C2C)
exchanging activity is being performed between two consumers. For
Contact center
example auction sites.
Also known as customer interaction centre is a central point of any

organization from which all customer contacts are managed. It is
generaif a part of company's customer relationship management
Contactless
payments (CRM||
An application of NFC technology that is fast gaining popularity

and ts easy way to complete a transaction quickly and securely.
The payr process involves no physical contact between the
Core banking consumer payment ‘
(card, key-fob, mobile phone etc) and the physical point of sale (
terminal.
Core banking solutions The business conducted by a banking institution with its retail and
business customers. Many banks treat the retail customers as their
banking customers.
Core banking systems
Banking applications on a platform enabling a phased, strategic
app* that is intended to allow banks to improve operations,
reduce costs,, be prepared for growth.
Back-end systems that processes daily banking transactions, and

updates to accounts and other financial records. Core banking
typically include deposit, loan and credit-processing capabilities^
interfaces to general ledger systems and reporting tools. In short
systems facilitate core banking functions.
Core router The router which serves to transmit data between other routers in the network.
A business practice where a service is performed by staff from inside an
organization and also by an external service provider.
Co-sourcing
Systems that help banks and lending organizations to avoid credit loss
and at the same time maximizing business opportunities by enabling
Credit assessment them to make calculated, objective, and swift risk decisions.
system
A company that collects information from various sources and provides
consumer credit information on individual consumers for a variety of
Credit bureau uses. It is an organization providing information on individuals' borrowing
and bill paying habits. This helps lenders assess credit worthiness, the
ability to pay back a loan, and can affect the interest rate and other terms
of a loan.
Credit bureau check Systems that link banks with credit bureaus for the assessment of a loan
system applicant's credit history and his borrowing and payments profile.
Cryptography The practice and study of techniques for secure communication in the
presence of third parties (called adversaries). More generally, it is about
constructing and analyzing protocols that overcome the influence of
adversaries and which are related to various aspects in information
security such as data confidentiality, data integrity, and authentication.
A strategy for managing a company's interactions with customers, clients

Customer Relationship
Management (CRM) and sales prospects. It involves using technology to organize, automate,
and synchronize business processes-principally sales activities, but also
those for marketing, customer service, and technical support. The overall
goals are to find, attract, and win new clients, and nurture and retain the
existing ones.
Customer services
system Term frequently used in the service management, service operations,
services marketing, service engineering, and service design areas. A
configuration of technology and organizational networks designed to
deliver services that satisfy the needs, wants, or aspirations of customers.
Cyber crime
Criminal activity where a computer or network is the source, tool, target,
or place of a crime.
Cyber crime
ordinance An ordinance passed by government of Pakistan that covers provision for
illegal and criminal acts such as data access, data damage, system
damage, electronic fraud, electronic forgery, spamming, spoofing, cyber
terrorism etc with punishments ranging from two years to death penalty.
Data confidentiality
A security principle that ensures data privacy on the network system. It
ensures that the data will be kept secret and will be accessed only by
limited authorized users. It prohibits eavesdropping by unauthorized users.
Data mining The analysis step of the Knowledge Discovery in Databases (KKD) process
is the practice of discovering new patterns from large data sets involving
methods from statistics, artificial intelligence and database management.
Data network A data network is a system that transfers data between network access
points through data switching, system control and interconnection
transmission lines. Data networks are primarily designed to transfer data
only from one point to one or more points. This is in contrast to the
audio or voice network, which is often employed for both voice
communications and the transmission of data.
Data packet The fundamental unit of communication over a digital network. A packet
is also called a datagram, a segment, a block, a cell or a frame. When
data has to be transmitted, it is broken down into smaller & similar
structures of data - the packets.
Data Retention policy Policy describing how and for how long an organization's documents
must be retained. These documents include electronic and paper
documents both. This policy describes what gets deleted.
Data warehouse A huge collection of data (internal & environmental, current & historic)
designed to support management decision making. Data warehouses
contain a wide variety of read-only data that present a coherent picture
of business conditions at a single point in time. Smaller and focused data
warehouses are called data marts.
Digital Subscriber Line It is a medium for transferring data over regular phone lines and can be
(DSL) used to connect to the Internet. A DSL circuit is much faster than a
regular phone connection, even though the wires it uses are copper like
in a typical phone line.
Disaster Recovery The process an organization uses to recover access to their software,
Plan (DRP) and/or hardware that are needed to resume the performance of n:
critical business functions after the event of either a natural disaster
disaster caused by humans.
Domain Name system A hierarchical distributed naming system for computers, services, or
(DNS) resource connected to the Internet. Most importantly, it translates __
names meaningful to humans into the numerical identifiers
associates networking equipment for the purpose of locating and
addressir j devices worldwide.
Downtime The duration of time during which a system and its services are
not for designated function. Downtimes are undesirable and can
be (for maintenance) or unplanned (result of some accident).
Dynamic webpage These pages contain "server-side" code, which allows the server
to unique content each time the page is loaded.
Edge router
Router which connects end-users to the Internet or a router that
one network to another separate and independent network, are
found at the network boundaries.
Electronic commerce The process of buying, selling, transferring or exchanging products,
(EC) services and/or information via computer networks including and
especially the Internet.
Electronic CreditA software for monitoring credit reports. The State Bank of Pakistan
Information Bureau monitors the Software and all Financial Institutions in Pakistan are
(eClB)
required to have this software installed. The purpose of Electronic Credit
Information Bureau (eClB) is to capture credit data and to provide online
information of individual and corporate borrowers to the financial
industry.
Electronic forgery
The misuse of computer networks, the internet, and various avenues
within the online community in order to defraud potential victims of
identity theft is classified as electronic or online forgery. It is quite
common within the digital age, which can include the illegal and unlawful
reproduction of endorsements in the form of electronic signatures in order
to illicitly assume the identity of the victim of identity theft.
An ordinance passed by government of Pakistan with the objective to

Electronic Transaction
Ordinance (ETO) recognize and facilitate documents, records, information, communications
and transactions in electronic form, and to provide for the accreditation of
certification service providers.
Email Electronic mail is a method of exchanging digital messages from an

author to one or more recipients. Modern email operates across the
Internet or other computer networks.
Encryption A coding technique in which the message is scrambled for security

reasons using some mathematical functions before transmission so that
anybody intercepting the message can't read it. Original message can
only be decrypted by a genuine recepiant having the valid key.
Enterprise resource Integrates internal and external management information across an entire
planning (ERP) organization, embracing finance/accounting, manufacturing, sales and
service, customer relationship management, etc. ERP systems automate
this activity with an integrated software application. Its purpose is to
facilitate the flow of information between all business functions inside the
boundaries of the organization and manage the connections to outside
stakeholders.
Ethics The rules of conduct recognized in respect to a particular class of human

actions or a particular group, culture, etc. Also known as moral philosophy,
a branch of philosophy that addresses questions about morality - that is,
concepts such as good and evil, right and wrong, virtue and vice, justice
and crime, etc.
Europay MasterCard A global standard for inter-ope「ation of integrated circuit cards and IC
Visa (EMV) card capable point of sale (POS) terminals and automated teller machines
(ATMs), for authenticating credit and debit card transactions. It is a joint
effort between Europay, MasterCard and Visa to ensure security and
global interoperability.
VII
Free, Libre Open Stands for Free, Libre Open Source Software. Signifies a software to be not Source Software
only free Freeware
of cost but also free to be modified, copy, improve and run for (FLOSS) any purpose.
A computer software that is made available free of charge, but which
is copyrighted by its developer, who retains the rights to control its
distribution, modify it and sell it in the future. It is typically distributed
without its source code, thus preventing modification by its users.
Freeware is usually distributed with a license that permits its
redistribution to some extent.
Firewall A device or set of devices or a combination of hardware and software
designed to permit or deny network transmissions based upon a set
of rules and is frequently used to protect networks from unauthorized
access while permitting legitimate communications to pass. It adds a
level of protection between a company's computer and the internet
and prevents viruses and worms from entering into the system.
FRAP The Facilitated Risk Assessment Process is based upon implementing
risk management techniques in a highly cost-effective way. FRAP uses
formal qualitative risk analysis methodologies using Vulnerability
Analysis, Hazard Impact Analysis, Threat Analysis and Questionnaires.
Governance A tool utilized by organizations to keep large groups of people

abreast of the state and function of information technology.
Governance allows a democratic approach to running IT efficiently. Its
primary function is to give non-IT personnel a chance to weigh in and
democratically decide what priorities and standards IT will utilize.
Groupware The term refers to software applications that are designed to heip
geographically dispersed groups of people work together towards ore
specific goal. It typically utilizes computer-networking capabilities to
streamline communications and facilitate the sharing of data among
all- group members.
Hot site A duplicate of the original site of the organization, with full computar
systems as well as near-complete backups of user data. Real tirr^
synchronization between the two sites may be used to completely
mirroi the data environment of the original site using wide area
network link^ and specialized software. Following a disruption to the
original site, the site exists so that the organization can relocate with
minimal losses normal operations.
Hub A networking component which acts as a merging point of a ne

allowing the transfer of data packets. In its simplest form, it works
repeating the data packets received via one port, and making it av:
to all ports, therefore allowing data sharing between all devices
conr to it.
Hyper text markup The predominant markup language for web pages and web sites,
language (HTML) defines the structure and layout of a Web document by using a
va* tags and attributes. A web browser reads HTML code and dis
accordingly on computer screen.
Imaged based The processing and clearing of bank cheques converted into electronic cheque processing
images by scanning the paper-based traditional cheques.
Inbound call center A call center that exclusively or predominantly handles inbound calls (calls
initiated by the customers).
Information reach The geographfcal area or the number of people who can receive a
message determine the information reach. Inversely related to richness.
Information website Websites that provide valuable information as its main commodity and
attraction rather than selling a physical product.
Input device Computer system peripheral devices used to input data into computers
for processing and/or storage. Most popular input devices are mouse,
keyboards, microphone etc.
Insourcing Also called contracting in is the delegation of operations or jobs from

within a business to an internal (but 'stand-alone') entity that specializes
in that operation. Insourcing is a business decision that is often made to
maintain control of critical production or competencies.
Instant messaging A form of rea卜time, mostly synchronous communication between two or

more people based on typed text. The text is delivered via computers
connected over a network such as the Internet. Instant messaging
requires an instant messaging client that connects to an instant
messaging service.
Interactive Voice
Response (IVR) A technology that allows a computer to interact with humans through the
use of voice and telephone keypad inputs. IVR allows customers to
interact with a company's database via a telephone keypad or by speech
recognition, after which they can service their own inquiries by following
the IVR dialogue.
Interbank Funds
Transfer (IBFT) A funds transfer system or mechanism in which most (or all) direct
participants are financial institutions, particularly banks and other credit
institutions. Transfers can be made between accounts of same of different
banks and are free from risks and delays.
Internet banking
A pure Internet bank exists entirely online and all transactions are done
over the Internet. . Internet banks basically give all the services of a
traditional bank except that they don't have the physical structure of a
bank. Additionally it may also include the situation when services of a
traditional bank are also offered through Internet.
Internet tool Tools (software, services and utilities) that are required to manage and
effectively and efficiently use or explore and harness the potential of the
Internet.
IT Audit An examination of the management controls within an Information

technology (IT) infrastructure. The evaluation of obtained evidence
determines if the information systems are safeguarding assets,
maintaining data integrity, and operating effectively to achieve the
organization's goals or objectives.
IT audit framework A set of rules, procedures, tools and techniques drawn from worldwide
good practices to achieve the objectives of IT audit. The intention is to
facilitate the management in the audit process and create a universally
accepted methodology for all organizations.
Information richness
The amount of detail contained in a piece of textual, graphic, audio, or
video information. More detail mean more richness. Inversely related to
reach.
ITIL
Information Technology Infrastructure Library is a set of best-practice
publications for IT service management. It gives detailed descriptions of a
number of important IT practices and provides comprehensive checklists,
tasks and procedures that any IT organization can tailor to its needs. It is
intend to be used in an 'adopt and adapt' method, with individuals and
organizations utilizing the elements of guidance which are useful,
changing them to suit their specific needs, and apply the parts which are
appropriate.
Liability management
system Also called asset-liability management system (ALM). A type of
management information system (MIS) that takes the input from other
information systems like the transaction processing systems managing
asset-liability relationship.
Local area network
A network of computers and other devices connected to each other by
cable in a closed location, usually a room, single floor of a building or all
the computers in a small company.
Mainframe
computers A powerful multi-user computer capable of supporting many hundreds or
thousands of users simultaneously. These are powerful computers used
mainly by large organizations for critical applications.
Malicious code
The term describes any code in any part of a software system or script
that is intended to cause undesired effects, security breaches or damage
to a system. Malicious code describes a broad category of system security
terrs that includes attack scripts, viruses, worms, Trojan horses, backdoors,
malicious active content.
Managed services The practice of transferring day-to-day related management respoi

as a strategic method for improved effective and efficient operations,
person or organization that owns or has direct oversight of the orgad
or system being managed is referred to as the offerer or customer.
person or organization that accepts and provides the managed s
regarded as the service provider.
Management information systems, typically computer based, that are used

Information System organization to collect, process, and disseminate information,
decision making by managers.
Many-to-Many
In this mode! many banks and many telcos join hands to offer
branchless banking virtually all bankable customers.
model
Mass storage device Nonvolatile storage devices that allows a
computer to permanently retain
large amounts of data.
Mesh topology
A network topology characterized by the intertwining of nodes
through links connecting them together directly, rather than through
one or more intermediate points of interconnection. There are two
types of mesh topologies： full mesh and partial mesh. In the partial
mesh topology, some nodes are connected to all the others, but
some of the nodes are connected only to those other nodes with
Metcalfe's law which they exchange the most data.
A law that claims the possible value of a communications network

increases exponentially with its size. The law is intended to be an
approximation and a relative measure of value for comparing two
Metropolitan area networks or the growth of one.
Network (MAN)
A network that interconnects users with computer resources in a
geographic area or region larger than that covered by even a large
Micropayment local area network (LAN) but smaller than the area covered by a wide
area network (WAN).
A financial transaction involving a very small sum of money and

Mini computers
usually one that occurs online.
A mid-range multi-user computer capable of supporting from 10 to

Mobile banking
hundreds of users simultaneously. Popular with mid-size businesses.
Also known as M-Banking, mbanking, SMS Banking refers to provision

and availability of banking and financial services with the help of
mobile telecommunication devices even when users are miles away
Multitasking OS
from their nearest branch or home computer.
Multi-user OS
An operating system that allows more than one program to run
concurrently.
Near Field An operating system that allows two or more users to run programs
Communication at the same time.
A variation of other short-range wireless technologies already used

throughout the world. Like RFID, near field communication can quickly
swap information between devices when they're touched together.
Network Interface Based on inductive- coupling, it uses loosely coupled inductive circuits
Card (NIC) to exchange power and/or data over a short distance.
Devices attached with computers and other network devices to

Network topology provide the connection between those devices and the network. NICs
are now mostly pre-installed by the manufacturers.
The network's virtual shape or structure or the manner in which computers and other devices
are connected to from network. This shape does not necessarily correspond to the actual
physical layout of the devices on the network.
A hard disk storage that is set up with its own network address rather
than being attached to the computer that is serving applications to a
network's workstation users. By removing storage access and its
Network-Attached
management from the regular server, both application programming
storage (NAS) and files can be served faster because they are not competing for the
same processor resources.
The unwanted signal in the transmission that may cause the original
message to distort and become unreadable.
Noise
An attribute of communications that seeks to prevent future false

denial of involvement by either party involved in a contract or
Non-repudiation
transaction. Nonrepudiation is consequently an essential element of
trust in e-business.
Operationally Critical, Threat, Asset and Vulnerability Evaluation

OCTAVE
process is workshop-based rather than tool based risk assessment
methodology. The main goal in developing OCTAVE is to help
organizations improve their ability to manage and protect themselves
from information security risks.
Off-the-shelf
Readymade general purpose application software intended to be used
software
"as is that can be bought and readily installed allowing none to low
level of customization.
One-time password
Latest tool used by financial and banking service providers in the
fight against cyber fraud. Instead of relying on traditional memorized
passwords, OTPs are requested by consumers each time they want to
perform transactions using the online or mobile banking interface.
One-to-Many
branchless banking In this model a bank offers mobile phone banking services to
model customers using mobile connection of any Telcos.
One-to-One branchless In this model one bank offers mobile phone banking services in
banking model collaboratioa with a specific Telco.
Online outsourcing
The business process of contracting third-party providers (often
overseas) to supply products or services (e.g. software development)
which arc delivered and paid for via the internet. Online outsourcing
emerged in the early 2000s, along with advances in internet
technology, as a viable optoi for SMEs and entrepreneurs who lacked
the necessary financial resources to meet the costs associated with
traditional forms of outsourcin>§.
Open Source
software Software which can be used, modified and improved by anyone and
cm be redistributed freely. Source code is also available to users who
can changes to suit their needs.
Operating system
The most important systems program that runs on a computer.
Creates interface between hardware and the application software
and provides environment in which programs are executed.
Optical fiber The cable that consists of one or more filaments of glass fiber
wrapped protective layers. It transmits light which can travel over
extended di and not affected by electromagnetic radiation.
Outbound call center A call center in which call centre agents make outbound calls to
customers
or sales leads. Can also be used for debt recovery functions.
Output device Computer system peripheral devices used to output data after
processing or upon data retrieval requests. Most popular input devices
include monitors, printers, speakers etc.
Outsourcing
The strategic activity involving the contracting out of a business
function - commonly one previously performed in-house - to an
external provider for achieving cost effectiveness and better quality of
work in addition to being able to give attention to core competency.
Electronic commerce type in which out of the product/service, the

Partial e-commerce
process and the delivery method at least one is non digital in nature.
An information security standard for organizations that handle

Payment Card.
cardholder information for the major debit, credit, prepaid, e-purse,
Industry Data Security
ATM, and POS cards. Defined by the Payment Card Industry Security
Standard (PCI DSS)
Standards Council, the standard was created to increase controls
around cardholder data to reduce credit card fraud via its exposure.
Phone banking Point
A service provided by a financial institution, which allows its customers
to perform transactions over the phone.
of Sale (POS)
Generally this means the exact location where a purchase is made and
payment is completed. This may include face-to-face sales
transactions as well as purchases made online. Whether customer is
standing at a cashier counter or checking out an online shopping cart,
the precise place where payment is made for goods or services
ordered or received is considered the point of sale.
Policy
The organization's stated objectives and the requirements in general
terms. Also establishes departmental responsibilities and cooperative
interaction where issues may overlap. The statements are usually very
broad and without detail.
POS Transaction
According to financial terminology only those sales transactions that
are made with a PIN are considered POS transactions.
Principle of Least
Also known as the principle of minimal privilege or just least privilege
Privilege (PLP)
and also as the principle of least authority. The idea behind this
principle is that if the users can be limited with their abilities, then
their scope of damage can be limited and hopefully halted.
PRISM Pakistan Real-time Interbank Settlement Mechanism. The name of Real

Time Gross Settlement System (RTGS) in Pakistan.
Privacy
The right to be left alone when one wants to be, to have control on
one's own possessions and not to be observed without consent.
Procedure
Very specific and step-by-step method to the extent practical and
reasonable. Where policies and standards may apply on an enterprise-
wide basis, there will always be a large portion of the procedures that
must be specific to each individual location or facility.
Pull transaction Pure e- A transaction in which a mobile phone user actively requests a service
or information from the bank. For example, inquiring about an account
balance is a pull transaction.
commerce Electronic commerce type in which the product/service, the process

and the delivery method all digital e.g. ordering an e-book online and
receiving over the net.
A transaction in which the bank sends information based on a set of

Push transaction
rules. A minimum balance alert is a good example.
Presentation
software A category of application program used to create sequences of words
and pictures that tell a story or help support a speech or public
presentation of information. Business presentation software emphasizes
ease- and quickness- of-learning and use.
Qualitative risk
management Risk assessments assume that there is a great degree of uncertainty in
the likelihood and impact values and defines them, and thus risks, in
somewhat subjective or qualitative terms. Qualitative risk assessments
typically give risk results as High, Moderate and Low.
Quantitative risk
management
This type of risk management draws upon methodologies used by
financial institutions and insurance companies. By assigning values to
information, systems, business processes, recovery costs, etc., impact,
and therefore risk, can be measured in terms of direct and indirect
Radio Frequency costs.
Identification (RFID)
A technology that uses radio waves to transfer data from an electronic
tag, called RFID tag or label, attached to an object, through a reader
for the purpose of identifying and tracking the object. A superior and
Ram-raiding more efficient way of identifying objects the use of bar code system.
A term used for situations in which a van, car, or other heavy vehicle is
driven through the ATM kiosk to effectively demolish or uproot an
Real time gross entire ATM and any housing to steal its cash.
settlement systems
Funds transfer systems where transfer of money or securities takes
(RTGS) place from one bank to another on a "real time" and on "gross" basis.
Settlement in "real time" means payment transaction is not subjected
to any waiting period. "Gross settlement" means the transaction is
settled on one to one basis without bunching or netting with any
Real time OS Receiver other transaction. Once processed, payments are final and irrevocable.
Responds to input instantly. Real-time operating systems are used to

control machinery, scientific instruments and industrial systems.
The component/device in a communication system that accepts the

signals from the transmission system and converts it into a form that
can be handled by the destination device.
Regional insourcing A process in which a company establishes satellite locations for specific
entities/functions of their business at sites that are away from their
headquarters. Through this process, companies can take advantage of
the benefits one location may have over another e.g. taxes or raw
material and workforce availability.
Response Time A goal or an ideal time in which it is necessary to make a specific

Objective (RTO) function or service re-available following an interruption. In essence it
represents the maximum amount of time before an organization is
negatively impacted by the interruption of one of its core business
processes or functions.
Ring topology Risk
A network topology in which each connected device has exactly two
Risk management neighbors for communication purposes. "). Each device incorporates a
receiver for the incoming signal and a transmitter to send the data on
to the next device in the ring.
The potential that a chosen action or activity including the choice of

Router inaction will lead to a loss or an undesirable outcome. Also the
quantifiable likelihood of loss or less-than-expected returns.
The identification, assessment, and prioritization of risks followed by

coordinated and economical application of resources to minimize,
Scalability Scheduled monitor, and control the probability and/or impact of unfortunate
events or to maximize the realization of opportunities.
An intelligent network device that forward and routes data packets

along networks. A network router connects at least two networks,
backup
commonly two LANs or WANs or a LAN and its ISP network and is
located where two networks meet.
Property of a system that can accommodate changes in transaction

volume without major changes to the system. Scalability most often
Search engine comes into play when a system user anticipates growth in his business.
Data backup processes which proceed automatically on a scheduled

Secure POS Vendor basis without additional computer or user intervention. The advantage
Alliance (SPVA)
of using scheduled backups instead of manual backups is that a
backup process can be run during off-peak hours when data is unlikely
to be accessed, preventing or reducing the impact of backup window
Secure Socket Layer downtime.
(SSL)
A type of Internet tool used to search content and websites on the
world wide web based on defined search criteria in form of key words
and phrases.
A non-profit organization that was formed by the three largest

suppliers of point-of-sale payment terminals to increase awareness of,
and improve payment security in the electronic point-of-sale industry.
A protocol by which many services that communicate over the Internet

can do so in a secure fashion. SSL encrypts the data being transmitted
so that a third party cannot "eavesdrop" on the transmission and view
xv
the data being transmitted.
A negotiated agreement between two parties, where one is the
customer and the other is the service provider. It is a part of a service
Service Level contract where the level of services that the provider promises to offer
agreement are formally defined. The SLA records a common understanding about
services, priorities, responsibilities, guarantees, and warranties.
A flexible set of design principles used during the phases of systems

development and integration in computing. A system based on an SOA
Service Oriented will package functionality as a suite of interoperable services that can
Architecture (SOA) be used within multiple, separate systems from several business
domains.
A type of metallic wire that contains one or more pairs of twisted wires
Shielded Twisted Pair that are insulated with a metal foil to minimize electromagnetic
(STP) interference.
An operating system in which only one user can be logged on to the

Single-user OS Social computer at a given point in time.
A type of online media that expedites conversation allowing

media readers/viewers/listeners to participate in the creation or development
of the content. Media for social interaction, using highly accessible and
scalable communication techniques.
A software distribution model in which applications are hosted by a

Software as a Service vendor or service provider and made available to customers over a
(SaaS) network, typically the Internet. Services may be charged for either on
monthly or yearly subscription or on per-use basis.
Sending of unsolicited and uninvited bulk email to recipients without

Spam their consent. Electronic junk mail.
The forging of the return address on an email so that the email

Spoofing message appears to have come from someone or somewhere else than
the actuaj sender or origin. Also a technique to gain personal
information for the purpose of identity theft usually by means of a
fraudulent emaiL
Spreadsheet A computer application that simulates a paper accounting worksheet rt

displays multiple cells usually in a two-dimensional matrix or grid
consisting of rows and columns. Each cell contains alphanumeric text,
numeric values or formulas.
Standards Establish minimum performance parameters. These are statements that

are usually "actionable", "measurable" and/or "observable" and can
often be the same as or similar to technical specifications.
Star topology A network topology in which each network host (for example a PC) Is
connected to a central hub with a point-to-point connection. All traffic
oi the network passes through the central hub.
Static webpage Web pages that contain the same pre-built content each time the page s loaded. Standard
HTML pages are static web pages.
xv
A high-speed special-purpose network that interconnects different
Storage Area
kinds of data storage devices with associated data servers on behalf of
Network (SAN)
a larger network of users. Typically, a storage area network is part of
the overall network of computing resources for an enterprise and is
usually clustered in close proximity to other computing resources.
Stored Value Cards

Refers to credit-card-sized cards with monetary value stored on them
and not in an external account as in the case of debit cards. These
cards are usually anonymous/bearer. A reloadable stored-value card
can be reused by transferring a value to it from an automated teller
machine or other device. A disposable card cannot be reloaded.
Super computers An extremely fast and costly computer that can perform hundreds of
millions of instructions per second. Used for highly calculation-intensive
tasks of large organizations.
Supply chain A system of organizations, people, technology, activities, information

and resources involved in moving a product or service from supplier to
customer. Supply chain activities transform natural resources, raw
materials and components into a finished product that is delivered to
the end customer.
Supply chain
management The management of a network of interconnected businesses involved
in the ultimate provision of product and service packages required by
end customers. Supply chain management spans all movement and
storage of raw materials, work-in-process inventory, and finished goods
from point of origin to point of consumption.
SWIFT

(SWIFT) operates a worldwide financial messaging network which
exchanges messages between banks and other financial institutions.
Switch
A hardware network device that joins multiple computers together

within one local area network (LAN). More intelligent and costly than
hubs. Capable of examining data packets as they are received,
determining the source and destination device of each packet, and
forwarding them appropriately to that location only.
System software Computer software that is designed to operate the computer hardware
and to provide and maintain a platform for running the application
software. One of the most important and widely used system software
are the computer operating systems.
TCP/IP TCP is one of the core protocols of the Internet Protocol Suite. TCP is
one of the two original components of the suite, complementing the
Internet Protocol (IP), and therefore the entire suite is commonly
referred to as TCP/IP. TCP is the protocol that major Internet
applications such as the World Wide Web, email.
Threat An act of coercion wherein an act is proposed to elicit a negative

response. It is a communicated intent to inflict harm or loss on another
person. It is a crime in many jurisdictions.
XVII
A time sharing operating system uses different algorithms to share the
Time sharing OS CPU time with more than one process. This allows a computer with
only one CPU to give the illusion that it is running more than one
programs at the same time.
A type of information system to collect, store, modify, and retrieve the

Transaction processing transactions of an organization. Mostly the front-line system. It
system processes predefined transactions, one at a time, with direct, on-site
entry of the transactions into a terminal, and which produces
predefined outputs and maintains the necessary data base.
A website where customers are able to order goods or services online

Transaction website and do the transactions for the goods or services they want to buy
(including online payment).
Refers to the shifting of the burden of loss for a risk to another party
Transference (of risk) through legislation, contract, insurance or other means.
This is the path the data follows to reach the destination device. This
Transmission media can be wired or wireless, depending on the situation.
The component/device of a communication system that transmits the

Transmitter signal generated by the source, towards the destination.
Treasury Management Also known as a Treasury Workstation a treasury-oriented system or

system software package that specializes in the automation of manually-
intensive, repetitive steps needed to manage cash flows.
Tree topology A network topology that is a combination of the Bus and the Star
Topology. Tree topologies integrate multiple star topologies together
onto a bus. Supports future expandability of the network much better
than a bus or a star.
Twisted pair wire The most widely used medium for telecommunication. Twisted-pair
cabling consist of copper wires that are twisted into pairs. Can be
Unshielded Twisted Pair (UTP) and Shielded twisted-pair (STP).
UnifiedPOS A world-wide vendor and retailer driven initiative to provide vendor

neutral software application interfaces for POS peripherals.
Universal Resource Or Uniform Resource Locator (created in 1994) is a character string that
Locator (URL) specifies where a known resource is available on the Internet and the
mechanism for retrieving it.
Unshielded twisted pair A type of metallic cable. The most popular cable type used in today's
(UTP) networks. It consists of two or more pairs of unshielded twisted copper
wires. It is extensively used in telephone systems around the world and
in computer networking due to its low cost, easy installation and
maintenance.
A policy that defines users' rights and privileges on a network in terms
User privilege policy
of what programs they are able to run, what data items they may view
and/or edit etc. Management formulates the policy that is later
implemented by the IT, network or another relevant department.
User rights
User rights govern the methods by which a user can log on to a
system and use software and data resources. User rights are applied at
the local computer level and allow users to perform tasks on a
computer or a domain. User rights include logon rights and privileges.
User rights can be defined at the system or network level as well.
A private network provider (sometimes called a turnkey

Value added network
communications line) that is hired by a company to facilitate electronic
(VAN)
data interchange (EDI) or provide other network services. Before the
arrival of the World Wide Web, some companies hired value-added
networks to move data from their company to other companies.
Verisys An easy- to-use access tool developed by NADRA. It is an

authentication tool to provide online verifications of Pakistani citizens
to the government, private and corporate sectors for bringing in
transparency, validation, elimination of fraud & forgery. It is a web-
based real-time activity displaying the front and rear image of the
CNIC with added hidden information for verifications.
Video conferencing Real-time exchange of audio & video between two or more remote
facilities/people/groups using hardware based technologies and
telecommunication technologies. It represents a broad range of
opportunities for training and communicating in organizations large
and small. This technology allows companies to connect with
employees in many locations for business reasons and offer
information and education that can be presented live.
Virtual Private A method of computer networking-typicaily using the public internet-

Network that aliows users to privately share information between remote
locations, or between a remote location and a business' home network.
It can provide secure information transport by authenticating users,
and encrypting data to prevent unauthorized persons from reading the
information transmitted.
Virtual queuing
Technology that provides callers with an alternative to waiting on hold
when no agents are available to handle inbound call. A user instead of
holding line gets into a virtual queue and hangs up and gets a callback
upon turn,
Virus
Malicious software that infect computers and may cause damage to
programs and data. Viruses enter unprotected computers attached to
other programs and through emails and removable storage devices
such as USB memory sticks. Viruses need some user action to become
VisaNet active.
One of the world's most advanced and largest retail electronic

payments processing network built and owned by Visa Corporation.
VoIP Refers to technology that enables routing of voice conversations over
the Internet or a computer network. Phone calls can be made to
anywhere / anyone： Both to VOIP numbers as well as on normal phone
numbers.
Vulnerability
Sometimes called flaws or breaches, represents the level of exposure to

threats in a particular context. Also the susceptibility of a person,
group, society or system to physical or emotional injury or attack. In
Warm site
case of IT systems, refers to the possibility of damage due to
breaches.
A compromise between hot and cold sites. These sites will have
hardware and connectivity already established though on a smaller scale than the
original production site or even a hot site. Warm sites will have
backups on hand, but they may not be complete and may be
Wide area network Wi-
between several days and a week old.
Network of computers spread over large geographical area ranging

Fi
from different countries to separate continents.
A wireless standard for connecting electronic devices. A Wi-Fi enabled

device such as a personal computer, video game console, smartphone
etc. can connect to the Internet when within range of a wireless
network connected to the Internet. The term WトFi was created by an
Wiki organization called the Wi-Fi Alliance.
Websites that allow visitors to add, modify and sometimes delete

content thus giving more power to visitors as compared to traditional
websites that are read-only. A component of web 2.0 (the new
Wi-Max generation of the web that is more interactive).
Stands for Worldwide Interoperability for Microwave Access and is

technically referred to by the IEEE as 802.16 standard. WiMAX is also
commonly termed 4G network. It is a wireless wide area network
(WAN) that can cover what DSL lines can cover, but without wires. It
can give wireless Internet connectivity to computers.
Wireless application The de facto worldwide standard and set of rules governing the
protocol (WAP) transmission and reception of data by computer applications on, or
via, wireless devices like mobile phones, pagers, personal digital
assistants etc. It allows wireless devices to view specifically designed
pages from the Internet, using only plain text and very simple black-
and-white pictures.
Wireless
transmission Transmission that takes place without physical wires using wireless
technologies including Bluetooth, RFID, microwave and satellite
communications.
Word processor
One of the earliest and most popular application for the personal
computer in office productivity. A word processor enables users to
create a document, store it electronically on a disk, display it on a
screen, modify it by entering commands and characters from the
keyboard and/or mouse, and print it on a printer.
Workstations A high-end microcomputer designed for technical or scientific
applications.
Intended primarily to be used by one person at a time and may be
connected to a local area network.
World Wide Web A system of interlinked hypertext documents accessed via the
(WWW) Internet. With a web browser, web pages can be viewed that may
contain text, images, videos, and other multimedia and navigate
between them via hyperlinks. The term is often mistakenly used as a
synonym for the Internet itself, but the Web is a service that operates
over the Internet, as e-mail does.
Worldwide Network
The second most important and popular card processing
network/system owned and maintained by MasterCard.
Worm Malicious software that is more dangerous than viruses as they can
travel over networks infecting connected computers automatically i.e.
without any human assistance.
2. Ensure agreement about the agreement
The two parties involved in an agreement often have different the role of the SLA
and what it can realistically achieve. Both se: 三 may be genuine, yet sufficiently
different as to cause a colla:se negotiations. Before any SLA development work is
done, it is a the two parties to hold an open discussion to ensure that they level of
agreement about the agreement. If they don't - and ur:i.
-any further SLA effort may prove futile.
3. Establish ground rules for working together
In this critical, but often ignored, step the SLA developers (those to negotiate the
SLA) focus not on the agreement (i.e. on its t on the process by which they will
work together to create the
More organizations depend on computer
systems for critical operations.
Organizations can easily maintain detailed
databases on individuals.
ion individuals to devt
Networking advances and the Internet Copying data from one location to
another and accessing personal data from
remote locations are much easier.
1 j：f-_ニー,*5
; •、•■■.ぐ.：热货挪进‘-‘-為
The doubling of computing power every 18

months has made it po for most
organizations to use information systems
for their core prod processes. As a result,
our dependence on systems and our
vulnera to system errors and poor data
quality have increased. Advances in storage
techniques and rapidly declining storage
costs have been resp for the multiplying
databases on individuals-employees,
customers, potential customers-maintained
by private and public organizations,
advances in data storage have made the
routine violation of ind" privacy both cheap
and effective
Advances in data analysis techniques for

large pools of data are a technological
trend that heightens ethical concerns
because companies government agencies
are able to find out much detailed personal
info about individuals. Finally, advances in
networking, including the Int promise to
reduce greatly the costs of moving and
accessing large q of data and open the
possibility of mining large pools of data
using small desktop machines, permitting
an invasion of privacy on a and with a
precision heretofore unimaginable.
If IT security aspects are not given due

consideration many ethical may arise. For
example if encryption is either not
performed or tie selected is week or
compromised due to lack of due diligence
and! the consequences may be severe.
Company's data may become ac to
unauthorized employees or outsiders. The
IT manager and professionals must ensure
that the cryptography laws are followed i
and spirit.
Internet access is generally restricted and

attachments are not many organizations.
This is important to ensure that company's
secrets (documents and designs or
formulas) are not shared with and
competitors. The network administrator
and/or IT security r generally responsible to
enforce the Internet related poiicies.
negligence however, these may not get
implemented. This can concerns for the
company. IT security personnel need to

IT Book PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT Book PDF

Uploaded by

Copyright:

Available Formats

table of Contents

Part 1 Basic Computing Concepts 1

Part 2 Information Technology in banking sector 14

Part 3 Introduction to the Internet 76

Part 4 Introduction to Networking 96

Part 5 Technology Based distribution channels/Networks

in Financial Industry 120

Part 6 Emerging Technology Trends in Financial Sector 154

Part 7 IT Policy in Financial Institutions 177

Part 8 IT Vendor Services 191

Part 9 IT Security and Risk Mitigation 208

■ Define an operating system (OS) and describe its functions

■ List and describe OS types

■ Discuss the concept of data communication

The computer is one of the most powerful innovations in human

Most people are familiar with what a computer is in a specific,

It is the ability to take instructions — often known as programs in the

More specifically, a computer is a programmable machine designed

Bask Computing Concepts

■ Personal computers: A small, single-user computer based on a microprocessor. A

■ Workstations: A workstation is a high-end microcomputer designed for technical or

■ Minicomputers: A multi-user computer capable of supporting from 10 to hundreds of

■ Mainframes: A powerful multi-user computer capable of supporting many hundreds or

Information Technology in Financial Services | Reference Book 2

A computer like this is often referred to as an embedded computer. An embedded

What is Application Application software (also called end-user programs) is computer

Off-the-shelf Application software: Commercial Off-the-shelf

The cost of developing off-the-shelf software is spread over a larger

Motivatiafts for using COTS components, include hopes for rerfttcion

Information Technology in Financial Services | Reference Book 2

Provide Interface： All operating systems need to provide an interface

Process Management: Every program running on a computer,

laBc ：:irtiputing Concepts

Memory Management: Computer memory is arranged in a

Input/output management: This involves co-ordination and

File management: A file is a logical unit of storage that hides the

Establishment and enforcement of a priority system: Determines

Interpretation of commands and instructions: The operating

Coordination and assignment of compilers, assemblers, utility

Establishes data security and integrity. Security is an issue that is

Network Management: Although not a core operating system

Information Technology in Financial Services | Reference Book 2

Basic Computing Concepts

Single-user： In a single-user operating system only one user can be

Multi-user： Allows two or more users to run programs at the same

Single-tasking: As the name implies, this operating system is designed

Multi-tasking: Allows more than one program to run concurrently.

Time-sharing： A time-sharing operating system uses different

Real time: Responds to input instantly. Real-time operating systems

Information Technology in Financial Services | Reference Book 2

Data communication concerns the transmission of digital messages to

A computer network, often simply referred to as a network, is a collection of

r f Channel I》(Receiver j》I Destination

Basic Computing Concepts

Source: This device generates the data to be transmitted. Examples are

Facilitating communications: Using a network, people can communicate

Sharing hardware: In a networked environment, each computer on a

Data A transmission or communication medium provides a physical entity for

Coaxial cable is widely used for cable television systems, office

Optical fiber cable consists of one or more filaments of glass fiber

Communications satellites - Satellites use microwave radio as their

Wireless LANs - Wireless local area networks use a high-frequency

Infrared communication can transmit signals between devices within