By Vishal Goyal, Country Manager, South Asia, FICO
2016 was a difficult year for banks in India due to the rapid increase of financial crimes carried out online. The sophistication and number of cyber attacks grew quickly. While much of this was a global trend, India has become an attractive target for criminals due to a government push to have its citizens embrace digital banking. The demonetisation policy in India has effectively grown the honeypot for online fraudsters substantially by creating a greater pool of digital cash.
India’s banks which had historically been focused on fighting traditional crimes such as ATM skimming and application fraud were caught flat-footed.Of course, the banks are up against a considerable threat with criminals quite cunning and inventive in their attacks. In October 2016 for example, 3.2 million debit cards were found to have been compromised in one of the biggest information breaches in the sector. Investigations revealed that the fraud was perpetrated by malware-infected systems inside ATM machines manufactured by a private company.
Most recently, criminals looking for loopholes targeted the SWIFT networks of four Indian banks and some even breached banking systems to generate fraudulent trade documents.
The increase in attacks prompted the Reserve Bank of India (RBI) to issue a circular in 2016 to all commercial banks detailing the guidelines to be followed for cyber security. Titled, ‘Cyber Security Framework in Banks’, the memo pointed out that while use of technology at banks had gained momentum, the “number, frequency and impact of cyber attacks has also increased”.
The RBI encouraged banks to improve upon their defences; “in view of the low barriers to entry, evolving nature, growing scale/velocity, motivation and resourcefulness of cyber-threats to the banking system, it is essential to enhance the resilience of the banking system by improving the current defences in addressing cyber risks.”
The RBI also directed banks to report cyber attacks within two to six hours of such incidents being detected. The status quo had been that it could take up to 6 months to report ‘unusual’ incidents, and it was left to the discretion of the banks to decide what was ‘unusual’. This was seen as a key area of compliance that needed to be addressed to ensure greater communication and therefore safety in the banking community at large.
My view is that the ever-improving artificial intelligence used to fight fraud for the last two decades, as well as new machine learning algorithms for self-learning, are part of the solution. For enterprises, deploying machine learning and artificial intelligence-based cyber security solutions is critical to protect the enterprise.
Self-learning analytics, artificial intelligence, machine learning-based algorithms and anomaly detection techniques will need to be used to monitor activity across networks and real-time data streams. These technologies will allow banks in India to identify threats as they occur while maintaining low false positive alarm rates even for new types of threats.
New Technologies, New Risks
Indian banks have just started experimenting with distributed ledger technologies such as blockchain, RPA/robotics and artificial intelligence. Once there is widespread use of such technologies, banks will have to again upgrade their risk management systems in order to be ready to deal with threats that target such systems.
More immediately, banks are moving some of their systems to the cloud. The advantages of this are obvious, the cloud reduces costs and make banking services more widely available. For instance,The National Bank for Agriculture and Rural Development (NABARD) brought 201 co-operative banks on a single cloud platform, to take advantage of these operational efficiencies.
However, the risk with interconnected networks is that the points of potential vulnerability (where the attackers or hackers can breach the network) increases. In the 1980s and ‘90s, operational technology and consumer technology networks functioned separately. Now both are integrated under a common IT architecture. So what affects financial institutions is very likely to have a direct impact on end-user consumers. Cyber criminals will of course seek to wreak havoc on interconnected systems using new techniques.
The good news is that, as early adopters of many technologies, the banks quickly gain the experience to fight financial crime as well. Take the technological change that is coming our way with the Internet of Things. The banks have been playing in this space for decades. An ATM network is essentially an internet of things. A web of physical objects that exchange and collect data which can be used business decision making and to automate operations. One of the primary technologies banks have adopted to protect these networks is predictive analytics. Essentially software that looks for ‘out-of-pattern’ behaviour so that banks can identify suspicious activity occurring at an ATM or on a credit card for that matter.
As Indian consumers embrace online banking enmasse due to an explosion in mobile phone adoption, predictive analytics will monitor the transactions. Currently half of all digital financial transactions are taking place on mobile devices in India. This number is rising quickly as app-based transactions become more common and fin-tech companies are given licenses to operate in India as banks.
Technology research agency Gartner has estimated that by the year 2020, the number of devices connected via the Internet will reach 27 billion globally and of this India’s share will be around 5-6 percent.
Engendering trust in mobile banking and transactions will be critical in the year ahead if banks want to develop a competitive advantage over their peers. A joint study by ASSOCHAM and Ernst & Young estimates that mobile fraud will rise 60-65 percent in 2017 in India.
It is therefore critical that banks deploy fraud detection systems that can sift genuine transactions from those which are suspicious. Doing this in real-time is only possible using advanced analytics to remain agile across both online and mobile channels.
Finding the Proceeds of Financial Crime
While cross-border activities may help to facilitate trade and boost connectivity, they have become a challenge for governments and tax authorities around the world. There is a global effort to ensure taxpayers are paying the right amount of tax in the jurisdiction of which they operated in as well as finding the criminal tax evasion which is taking place.
India has joined the global pact on exchange of information on financial accounts and its banks are expected to implement this change by September 2017.
The implementation of the AEOI through Common Reporting Standards (CRS) by the Organisation for Economic Co-operation and Development (OECD), is a significant step. This system, when fully implemented, will enable India to receive information from almost every other country in the world including offshore financial centres. The information will help prevent international tax evasion and be instrumental in getting Indian tax authorities information on assets of Indians held abroad including through entities in which Indians are beneficial owners.
The scandal surrounding last year’s Panama Papers leak shows the urgent need to close these loopholes which currently deprive governments of the legal revenue due to them to provide services to their citizens.
Again the job of managing the monitoring of millions of ordinary accounts is a vast big data problem that is beyond the scope of ordinary rules-based systems. Only a risk-based system with analytics at its heart is able to monitor the behaviour of these accounts and look for changes in behaviour and evolving patterns.
With the deadline only six months away, India will be one of the very first countries to start reporting this information to other countries around the world. The development will be an interesting one as the Indian government has been on a concerted effort to stamp out corruption and financial crime in the country.
As the country enthusiastically hurtles towards ‘Digital India’, protecting and managing the flows of digital capital must be a high priority. The use of innovative technologies and increased resourcefulness rests on the banks, who must balance a boom in digital banking services with an offering that is as free as possible from financial crime.