Introduction
Transaction risk in internet banking is a common feature of electronic banking (e banking). Though there is no universal record of all transaction risks that have occurred in banks, it is estimated that, transaction risks increase by the year. For instance, in the years 2009 and 2010, transaction risks significantly increased in the developed world (Dyk 2011, p. 1). Increased cases of transaction risks have caused serious lawsuits, ranging from defamation cases to compensation cases. This incidence has weighed down the justice system and increased the cost of doing business. Moreover, a lot of time and resources have been wasted in courts as different parties seek settlements. The legal damage left by the proliferation of transaction risks have also led to increased scrutiny and regulation of internet banking. For instance, in 2005, the Federal Financial institutions Examination Council implemented a new regulation requiring banks to implement several authentication procedures that are beyond a single parameter (Dyk 2011, p. 1). The level of increased scrutiny characterizing internet banking has since led to the complication of e banking services. Common banking procedures, which would have otherwise been done, simply, are now very complex. Somewhat, this complexity has discouraged many people from adopting internet banking. For instance, the rigorous authentication procedures subjected to internet banking consumers are perceived to be very intimidating to some people.
Transaction risks in internet banking have caused serious problems for most banks because it soils their reputation. Banks which experience high incidences of transaction risks are seen to be incompetent and unreliable. Some customers therefore perceive such banks to be unsafe to keep their deposits. They therefore shun such banks. Often, this perception leads to a loss of business because customers lose faith in such banks. On a wider scale, the proliferation of transaction risks in internet banking has made many people doubt the reliability of the new technology (internet banking) in making virtual transactions. Banks have frantically invested in technological and human resource security to reduce the instances of transaction risks in internet banking but these efforts have only led to an escalation of operational costs. Conversely, banks have been forced to pass down this cost to their consumers, thereby making internet banking relatively more expensive than it should be. Current statistics show that, typically, organizations lose about 5% of their revenue for failing to check transaction risks (Dyk 2011, p. 1). Unfortunately, it is almost impossible to eliminate this vice. Instead, many organizations (especially banks) have resorted to adopt technology that significantly reduces the frequency or incidence of transaction risk.
The transaction risk associated with internet banking is identified to be among the main deterrent of smaller banking institutions to adopt internet banking. In the same regard, risk management policies (pertaining to the same); have also not grown with the same speed as internet banking. However, certain major banks have overlooked these challenges and adopted internet banking, all the same. This has prompted an investigation into the strategies that can be adopted to limit the transaction risk in internet banking. One such bank is the Vietinbank in Vietnam.
Research Questions
- What are the strategies to minimize unauthorized access of internet banking in Vietinbank
- What external provisions can be formulated to curb transactional risks in Vietinbank, from a policy perspective
- What internal provisions can be formulated to curb transactional risks in Vietinbank, from a policy perspective
Research Objectives
This paper seeks to carry out an investigation aimed at coming up with solutions for limiting the transaction risks in internet banking for Vietinbank. This investigation is aimed at limiting unauthorized access of internet banking in Vietinbank. However, this is not the only goal of this study. This paper also aims to investigate what external provisions can be formulated to curb transactional risks in Vietinbank. These external provisions focus on the legislative requirements, from oversight bodies, such as the government, in limiting transactional risk in Vietinbank. This objective is also complemented by the third objective of this study which focuses on formulating internal provisions that Vietinbank can adopt to limit transactional risks in internet banking.
Implications of the Study
- Since internet banking has not been adopted by many banks, especially in developing countries, the recommendations of this paper will act as a guide to the adoption of internet banking.
- The findings of this paper will act as a guide to policy formulators in developing regulations meant to govern internet banking
- This paper will educate internet banking users on the importance of ensuring their financial information is secured by explaining what safety measures they can take at an individual level
- This paper will suggest possible strategies that can be adopted by existing banks and institutions to ensure transaction risks are avoided. These areas of improvement will increase the overall security of internet banking
Outline of the Report
To achieve the objectives of this study, this paper constitutes a literature review of existing academic materials (regarding how to reduce transaction risks in internet banking); a research design (to explain how the intended study is to be done): a research and discussion section that aims to analyze the findings from the study and a conclusion summarizing the research’s findings.
Literature Review
About Vietinbank
Vietnbank is deemed a pioneer of internet banking in Vietnam because most banks in the country have not adopted the technology yet. Vietnbank has been using the SSL certificate with extended validation since the year 2007 (this certification is deemed the safest in internet banking) (Vietinbank Groupd 2011, p. 2). Vietnbank adopted internet banking in 2005 and since then, it has been able to attract many customers. In two months, the bank has witnessed the rise in customer numbers (those wanting to use internet banking) from 11,000 in January, 2007 to about 117,000 in February 2007. In December 2007, the bank had already witnessed a surge of internet banking consumers to about 150,000. These numbers have been sustained in the year 2008, and the bank’s internet banking customers still grow by the day. However, it is also crucial to note that, the bank has witnessed an increase in the volume if internet banking transactions by more than 50% during the same period (Vietinbank Groupd 2011, p. 2).
Mergers
The structure of Vietinbank is characterized by an amalgamation of several entities to form the giant financial institution. Vietinnbak is 80% owned by the government of Vietnam and 10% owned by an affiliate of World Bank, which is known as IFC (Vietnam Today 2010, p. 1). The rest of the shares are owned by other entities. In the coming years, Vietinbank intends to merge with other entities in the banking sector. More prominently, Nova Scotia Bank, which is based in America, stands to gain from this plan because in 2012, the company intends to merge with the global giant (Vietnam Today 2010, p. 1). This merger is expected to add more global banking experience to Vietinbank’s body of knowledge in internet banking.
Profitability Ratio
Vietinbank’s capacity to pay its debts has significantly improved in recent times because in 2009, it registered a bad debt ratio of 1.41%, but in 2010, it registered a bad debt ratio of 1.02%. Currently, the bank is attached to a 900 trillion dong loan with Vietnam National shipping industry, but since the company is registering a good financial performance, there are no fears that Vietinbank will suffer any losses arising from a loss of the principal amount or any interests accrued (Charlton Media Group 2011, p. 2). The bank’s provisional fund is also said to be very stable and it can offset the total debts owed by the bank.
The bank’s capital adequacy ratio also increased to about 9.82% (as per the bank’s mid annual results) and this shows an increased growth of about 1.8% if the same figures were compared to the same time in the year 2010 (Charlton Media Group 2011, p. 2). As a result, we can establish that, Vietinbank currently enjoys a healthy financial growth.
The Previous Research
Transaction Risk in Internet Banking
With the spread of e commerce, many organizations have quickly tailored their products and services to be offered on the technological platform. Banks are no exception. Internet banking is one such platform where banks offer corporate and retail services online. However, this quick adoption of information technology, coupled with the global nature of electronic networks, have easily exposed banks to several operational risks, such as the security of internet banking (Koch 2009, p. 190). There are several risks associated with internet banking. Transaction risk is only one of them. In fact, transaction risks are identified as constituting the most frequent risk category (operational risk) (Koch 2009, p. 190). This risk normally occurs as a result of several reasons, but often, it occurs because of internal risk control failure, human error and a breakdown of external risk control mechanisms.
Nonetheless, it is believed that, most banks use highly sophisticated internet banking platforms which are linked to legacy systems, thereby predisposing them to varied transaction risks. In internet banking, there is also a great need to ensure that the data provided in the internet banking platform is of high integrity. The inclusion of third parties on the internet banking platform also contributes to transaction risks. This observation is supported by the fact that, banks have very little control over third parties and therefore, if there lacks a seamless system connection between the third parties and the banks, there is likely to be an escalation of transaction risks (Koch 2009, p. 190).
Experts note that, internet banking is perceived by many banks as a possible escalator of information security risk, but they have failed to understand how the concept also affects other business risks (Koch 2009, p. 190). Transaction risk in internet banking is associated with several issues surrounding fraud and errors. Transaction risks are present in almost all products offered through internet banking, but they usually arise from the product development process. This may happen in several ways, including the estimation and mobilization of the banking system, sophistication of products, and the relaxation of internal or external control mechanisms (Carmichael 2011, p. 314). Many experts have noted that, products and financial services which are offered through the internet banking platform bear a strong degree of risk, but they also note that, this risk arises from poor planning and implementation of control mechanisms aimed at mitigating the same risks (Carmichael 2011, p. 314).
The risks associated with internet banking fall into two broad categories. The first risk is centered on the banks, which provide the basic products and services through internet banking. Here, customers may experience the risk of enrolling for financial services which their banks may fail to offer through their internet banking platform (even though they are enlisted). Moreover, this risk comes with the fact that, most customers who use internet banking are normally very impatient and would not tolerate any instances of error (on the part of the bank) (Carmichael 2011, p. 314). Furthermore, such customers normally expect internet banking to be extremely prompt and “error free” because they are not subject to human incompetence. This is not true.
The second type of risk centers on forces which are external to the banks. Usually, they are mastered by third parties who intend to launch an attack on the bank’s internet banking platform to steal information or funds from unsuspecting customers (or even from the bank itself) (Carmichael 2011, p. 314). Unfortunately, this type of risk is the most common. Incidentally, it is very difficult to overcome or even avoid this risk. Usually, such types of attacks can be launched from various quarters. However, they are mostly done online. Experts note that, these online attacks can happen in two ways. The attackers may exploit the software weaknesses of the bank’s internet banking platform, or they may devise ways to gain unauthorized access to the internet banking platform. These online attacks can occur in several ways, including sniffing, guessing passwords, brute forcing, random dealing, social engineering, and hijacking. Online attacks can also occur through the launch of viruses, spyware, Trojan horses and the likes (Carmichael 2011, p. 314). These elements are usually launched in one server and spread to several other sub-servers through a local area network (LAN) or similar medium.
Previous Measures Taken by Banks (Internal Measures)
Information security is among the most important issues to be concerned about in internet banking. Banks are often advised to assess the level of security accorded to the information they posses because certain information may be sensitive or classified (Koch 2009, p. 190). The security of such information is often a ‘hot’ issue in internet banking. Internet banking normally offers an easy access to such information (sensitive and classified information) for online attackers who may want to gain unauthorized access to them. It is therefore the duty of the banks to provide controls and safeguards through reliable security mechanisms and structures. For a long time, the internet firewall has been used to protect sensitive information from online attackers, especially through the local area networks. However, it is proven that, the internet firewall, by itself, cannot adequately prevent the occurrence of transaction risks in internet banking (Koch 2009, p. 190). In this regard, internet security experts suggest that, different types of firewalls need to be designed for specific control measures in the internet banking platform. Moreover, such a system upgrade requires competent technicians to develop and monitor the system regularly. These requirements led to the development of several strategies to further prevent transaction risks in internet banking. One such method was authentication.
Authentication is the verification of a user’s identity to minimize the risk of fraudulent persons accessing a bank’s internet platform. This is done through the issuance of personal identification numbers (PINs), encoding data and biometrics data (Carmichael 2011, p. 314). The use of PIN is the most traditional form of authentication, but it is also subject to several weaknesses, including forgetting a person’s PIN or the theft of PIN numbers. It is from these weaknesses that more sophisticated authentication tools such as data encoding and use of biometrics arose. The use of biometrics is the most sophisticated form of authentication because it is based on the typical behaviors of humans. It includes tools such as scanning a person’s retina, fingerprint verification, facial imagery recognition and the likes (Koch 2009, p. 190). The most sophisticated form of verification is the observance of a person’s vein. Here, the level of sophistication is extremely high and it is almost difficult to impersonate someone. The biometrics method works by determining a person’s hemoglobin and blood vein patterns, which is very difficult to steal.
Somewhat, these measures helped to curb the rampant cases of internet fraud when they were invented. This experience is shared in many countries across the globe. For instance, the United States (US) was able to launch its internet banking platform in the 90s through moderate internet security features necessitated by the various authentication features described above (Koch 2009, p. 191). Singapore also falls in the same category, but collectively, in an interesting twist, these two countries exposed the importance of including the input of the central bank in reducing the transaction risk of internet banking. However, as opposed to internet banking in Singapore and the USA, there is very little public awareness among most Vietnamese about the transaction risks of internet banking. As a result, there are minimal efforts designed to curb this problem because without the awareness needed to fight transaction risks, there is very little that can be done to prevent its occurrence.
Measures taken by Governments (External Measures)
The Monetary Authority of Singapore is of the view that, a robust framework for reducing transaction risks in internet banking depends on the management framework developed by a company’s board. The agency reports that,
“This responsibility calls for banks to perform risk analysis by identifying information systems assets, determining security threats and vulnerabilities, estimating the likelihood of exploitation or attacks, assessing potential losses associated with these risk events and taking appropriate security measures and controls for asset protection” (Carmichael 2011, p. 3).
In India, similar measures have been suggested by the country’s reserve bank because mobile commerce has quickly gained prominence in the region and many banks offer internet banking through this platform. To safeguard against the risk of internet banking, the country’s reserve bank provided several guidelines for banks to follow. These guidelines centered on: supervisory and regulatory issues, registration of bank customers, technology and security standards, interoperability, clearing and settling of interbank transactions, addressing customer complains, transaction limits, board approvals, and approvals from the reserve bank of India (Koch 2009, p. 191).
In line with the above regulations, the Federal Reserve Bank only authorizes banks, which have a physical presence in India, to undertake internet banking services, based on mobile banking. Only customers, who hold a debit or credit account, are allowed to use internet banking services (subject to the reserve bank of India guidelines). Internet banking transactions are also only limited to local transactions (in rupee). Any international banking transactions are not allowed. Furthermore, Indian banks are only allowed to use third party correspondents who have been approved by the country’s reserve bank to undertake internet banking transactions. Any other third party is not allowed to operate in this capacity. Existing guidelines formulated by the reserve bank of India relating to “money laundering”, “know your customer” and “combating the financing of terrorism” also apply to internet banking. Furthermore, not all banks are allowed to provide internet banking services; only banks which have provided core banking solutions are allowed to do so. Similarly, all banks that provide internet banking services are bound to provide suspected transaction reports to the relevant authorities for an evaluation of the transaction procedures.
In Mauritius, the terms and conditions (or guidelines) laid out by the Bank of Mauritius border on the same objectives established in India to guide Internet banking. The bank of Mauritius aims to limit the occurrence of transaction risk to improve the country’s financial market sector and improve the confidence that, people have on internet banking. The same guidelines have also been set up to encourage more banks to teach their clients about the importance of upholding internet security standards for their own privacy and security of their money (Koch 2009, p. 191). Finally, the bank has also formulated stringent guidelines to facilitate the development of cheaper and convenient online payment methods. However, the bank of Mauritius does not prevent any financial institution from adopting more stringent internet banking guidelines, than it already provides.
Most banks (in Mauritius) which provide internet Banking services are therefore required to abide by the country’s internet banking guidelines, apart from providing legal documents that outline the bank’s internet banking plan; internet security policy; risk management plan; client charter on internet banking; terms and conditions for the use of internet banking and any plans to outsource some of the internet banking services to a third party. These measures are formulated to reduce the transaction risk of internet banking in the country.
Banks which operate in Mauritius are also required to report periodically to the Bank of Mauritius to explain the progress they have made in implementing the stipulated internet banking guidelines. The documents described above are also reviewed at the start of every financial year, and if the Bank of Mauritius is satisfied with their compliance, the respective bank is given the right to continue with the provision of internet banking services (Koch 2009, p. 191). However, the Bank of Mauritius also acknowledges that, some transaction risks experienced by major banks may be unique to their circumstances and therefore, they recommend the adoption of local (bank) policies to curb these risks. In line with this acknowledgement, they recommend that, every board of directors (for any bank that provides internet banking services) should oversee several responsibilities.
Top among the list of responsibility is the assurance that, every board ensures that, the bank’s internet banking strategy complements the overall vision of the bank (Koch 2009, p. 191). Respective boards should also approve the strategic internet banking plan and any risk management plan before they are adopted. The board is also required to monitor any internet banking project that may have a significant impact on the transaction risk experienced or posed to the bank. Also, the board of directors is required to ensure there are adequate internal controls that safeguard against transaction risk, plus an assurance that, there is a strong team of competent employees that know how to circumnavigate issues regarding transaction risks in internet banking.
Alongside the responsibilities given to the board of directors in ensuring transaction risks are kept at a minimum, the bank of Mauritius also stipulates that, the management teams of banks that offer internet banking services need to contribute towards efforts to reduce transaction risks. For instance, the Bank of Mauritius identifies that, management teams need to ensure their internet banking products and services are in line with their company’s goals, and the risk associated with such products are within the company’s tolerance levels (Koch 2009, p. 191). The bank also outlines that, various management boards need to ensure their internal controls are functional and well-monitored to ensure no transaction risk occurs. The management is also required to ensure adequate resources are available to curb transaction risks, in terms of policy formulation, adoption and implementation.
The Bank of Mauritius also outlines several security guidelines that need to be observed by banks which provide internet banking services. These guidelines are centered on upholding data privacy and confidentiality, data integrity, business continuity, authentication of users, non-repudiation of internet banking products and access control system design to ensure unauthorized personnel do not access the internet banking platform (Carmichael 2011, p. 314). The Bank of Mauritius also expects banks that provide internet security services to ensure network access data control structures are functional to restrict unauthorized control of the internet banking platform (from unauthorized personnel). The bank also expects all financial institutions to provide a strong user identification method which is tested and authenticated. Present guidelines outline that, the authentication process should be enough to restrict any unauthorized access of personal information or accounts from unauthorized persons. The authentication procedures also need to be periodically reviewed through various testing procedures, such as penetration testing, to ensure they are effective. A combination of several authentication techniques is however recommended because it improves the level of security clearance for internet banking transactions. These authentication techniques include firewalls, passwords, and encryptions (Carmichael 2011, p. 314). It is however, the management’s responsibility to ensure the bank adopts recent legal or policy changes which uphold internet security in the financial market. Any recommendations or changes should be passed through the board of directors for approval.
For transaction verification purposes, the Bank of Mauritius expects all financial institutions offering internet banking to provide it with an audit trail. The bank also lays a lot of emphasis on virus attacks and therefore, it requires all banks to implement a detection and prevention program against this attack. This program is expected to contain a lot of elements, including virus awareness, user training programs and end-user policies. If there are any attacks on the internet banking platform, the Bank of Mauritius requires all banks to have a real-time monitoring program that detects any instances of intrusion (Carmichael 2011, p. 316). As such, penetration testing is a common procedure for most banks offering internet banking services. These detection systems may either be automated or manually operated, but they need to be very effective. The intrusion detection program is also used to control network traffic in real–time and it should also be able to withstand any attacks from a third party. Internal attacks should however be checked by internal controls and regular audits. If there is any detection of online attacks, it is crucial for bank personnel to report the matter to their management (promptly) or report the same to the bank of Mauritius. Based on these policy guidelines, the role of the central bank is pivotal in minimizing financial risks in internet banking. Therefore, from a comprehensive point of view, it is easy to establish that, a combination of the external and internal control systems will go a long way towards ensuring transaction risks are effectively minimized. This analysis explains the need for strengthening traditional banking controls, in a virtual manner.
References
Carmichael, D. (2011) Accountants’ Handbook. London, John Wiley and Sons.
Charlton Media Group. (2011) Vietinbank Gains VND4.4T Profit Before Tax. Web.
Dyk, D. (2011) Internet Banking Fraud Risks. Web.
Koch, T. (2009) Bank Management. London, Cengage Learning.
Vietinbank Groupd. (2011) Press Release of Initial Public Offering by Vietnam Bank for Trade and Industry – Vietinbank. Web.
Vietnam Today. (2010) Nova Scotia Bank buys into VietinBank. Web.