Issuu

PRINTING AND PUBLISHING RIGHTS WITH THE PUBLISHER

All rights reserved. No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written permission of Indian Institute of Banking & Finance.

Any person who does any unauthorised act in relation to this publication may be liable to criminal prosecution and civil claims for damages.

While every care has been taken in compiling the information contained in this publication, Indian Institute of Banking & Finance accepts no responsibility for any errors or omissions.

Book Updated by: Mr. Naga Mohan Gollangi, Former Chief Information Security Ofﬁcer, Bank of India.

Vetted by Mr. Burra Butchi Babu, Former General Manager, Bank of India.

First Edition : 2025

Price : ` 965

Published by :

Taxmann Publications (P.) Ltd.

Sales & Marketing :

59/32, New Rohtak Road, New Delhi-110 005 India

Phone : +91-11-45562222

Website : www.taxmann.com

E-mail : sales@taxmann.com

Mumbai

35, Bodke Building, Ground Floor, M.G. Road, Opp. Railway Station, Mulund (W), Mumbai - 400 080

Mob. +91-9322247686, 9619668669, 7045453844/45/51

E-mail : sales.mumbai@taxmann.com; nileshbhanushali@taxmann.com

Regd. Ofﬁce : 21/35, West Punjabi Bagh, New Delhi-110 026 India

Printed at : Tan Prints (India) Pvt. Ltd.

44 Km. Mile Stone, National Highway, Rohtak Road, Village Rohad, Distt. Jhajjar (Haryana) India

E-mail : sales@tanprints.com

This book is meant for educational and learning purpose. The author/s of the book has/have been taken all reasonable care to ensure that the contents of the book do not violate any existing copyright or other intellectual property rights of any person in any manner whatsoever. In the event the author(s) has/have been unable to track any source and if any copyright has been inadvertently infringed, please notify the publisher in writing for corrective action.

MODULE I : TECHNOLOGY IN BANKS

1.6

UNIT 2

UNIT 3

UNIT 4

UNIT 5

UNIT 6

6.1

MODULE II:

– SYSTEM,

UNIT 7

HARDWARE ARCHITECTURE

7.7

UNIT 8

SOFTWARE PLATFORMS

UNIT 9

SYSTEM DEVELOPMENT LIFE CYCLE

UNIT 10

COMPUTER NETWORKS

III: BUSINESS CONTINUITY

UNIT 11

MODULE IV: OVERVIEW OF LEGAL FRAMEWORK

UNIT 12

MODULE V: SECURITY & C ONTROL STANDARDS IN BANKING

UNIT 13 SECURITY

UNIT 14 CONTROL

UNIT 15 DEVELOPMENT

UNIT 16

UNIT 17

17.2

17.4

MODULE VII: INFORMATION SECURITY AND IS AUDIT

UNIT 18 INFORMATION SECURITY

18.1

18.3

18.5

UNIT 19 IS AUDIT

19.1

19.3

19.6

19.7

19.8

References 575

Glossary of Abbreviations Used in the Book 577

Risk Associated with Technology in Banking

5.1 Introduction

Technology has become a part of all walks of life and across all business sectors, and even more so in Banking. There has been massive use of technology across many areas of banking business in India, both from the asset and the liability side of a bank’s balance sheet. Delivery Channels have immensely increased the choices offered to the customer to conduct transactions with ease and convenience. Various wholesale and retail payment and settlement systems have enabled faster means of moving the money to settle funds among banks and customers, facilitating improved turnover of commercial and financial transactions.

An attempt has been made to describe the risk associated with technology banking in this chapter and recommendation of the group has been taken into account while dealing this chapter.

5.2 Risks Associated with Technology

These Risk Management Principles are not put forth as absolute requirements or even “best practice.” Setting detailed risk management requirements in the area of e-banking might be counter-productive, if

only because these would be likely to become rapidly outdated because of the speed of change related to technological and customer service innovation. It is therefore preferred to express supervisory expectations and guidance in the form of Risk Management Principles in order to promote safety and soundness for e-banking activities, while preserving the necessary flexibility in implementation that derives in part from the speed of change in this area.

Further, each bank’s risk profile is different and requires a tailored risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks. This implies that a “one size fits all” approach to e-banking risk management issues may not be appropriate. For a similar reason, the Risk Management Principles issued do not attempt to set specific technical solutions or standards relating to e-banking. Technical solutions are to be addressed by institutions and standard setting bodies as technology evolves. However, this Report contains appendices that list some examples current and widespread risk mitigation practices in the e-banking area that are supportive of the Risk Management Principles. Consequently, the Risk Management Principles and sound practices identified are expected to be used as tools by national supervisors and implemented with adaptations to reflect specific national requirements and individual risk profiles where necessary. In some areas, the principles have been expressed by national supervisors in previous bank supervisory guidance. However, some issues, such as the management of outsourcing relationships, security controls and legal and reputational risk management, warrant more detailed principles than those expressed to date due to the unique characteristics and implications of the Internet distribution channel. The Risk Management Principles fall into three broad, and often overlapping categories of issues that are grouped to provide clarity: Board and Management Oversight; Security Controls; and Legal and Reputational Risk Management

5.3 Board and Management Oversight

Because the Board of Directors and senior management are responsible for developing the institution’s business strategy and establishing an effective management oversight over risks, they are expected to take an explicit, informed and documented strategic decision as to whether and how a bank is to provide e-banking services. The initial decision should include the specific accountabilities, policies and controls to address risks, including those arising in a cross-border context. Effective management oversight is expected to encompass the review and approval of the key aspects of the bank’s security control process, such as the development and maintenance of a security control infrastructure that properly safeguards e-banking systems and data from both internal and external threats. It also should include a comprehensive process for managing risks associated with the increased complexity of and increasing reliance on outsourcing relationships and third-party dependencies to perform critical e-banking functions.

5.4 Security Controls

While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorisation privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information.

Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort regarding information disclosures, protection of customer data and business availability that approaches

the level they can expect when using traditional banking distribution channels.

To minimise the legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their websites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.

5.5 Legal and Reputational Risk Management

To protect banks against business, legal and reputation risk, e-banking services must be delivered consistently and timely in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand.

A bank must be able to deliver e-banking services to all end-users and maintain such availability in all circumstances. Effective incident response mechanisms are also critical to minimise operational, legal and reputational risks arising from unexpected events, including internal and external attacks, that may affect the provision of e-banking systems and services. To meet customers’ expectations, banks should have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies, that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services.

5.5.1 The RBI’s latest Guidelines on Fraud Risk Management

The RBI guidelines on fraud risk management were issued on July 2024. The guidelines are applicable to all scheduled commercial banks, including private sector banks, public sector banks, and foreign banks operating in India.

The guidelines require banks to establish a fraud risk management framework that is aligned with the RBI’s guidelines. The framework should include a fraud risk assessment process, a fraud prevention program, and a fraud detection and investigation program.

The fraud risk assessment process should identify and assess the fraud risks that a bank faces. The process should consider a number of factors, such as the bank’s products and services, its customers, its operating environment and its internal controls.

The fraud prevention program should implement appropriate measures to mitigate the fraud risks that have been identified. The program should include a number of different measures, such as:

Strong customer identification and verification procedures

Robust internal controls

Employee training on fraud awareness

Technology solutions to detect and prevent fraud

The fraud detection and investigation program should be designed to detect and investigate frauds that occur. The program should include a number of different measures, such as:

Monitoring of transactions for unusual activity

Suspicious activity reporting

Fraud investigations

The guidelines also provide guidance on a number of specific fraud risks, such as:

Loan fraud

Trade finance fraud

Cyber fraud

Foreign exchange fraud

Reporting of frauds: Banks are required to report frauds to the RBI in a timely manner. The RBI will use this information to monitor fraud trends and to take steps to prevent fraud.

5.5.2 How a typical Enterprise Fraud Risk Management (EFRM) Solution Works with Respect to Digital Payments

Consequent to the above guidelines of RBI, many banks have established/ started to establish Enterprise Fraud Risk Management EFRM solutions in order to deal with fraud risks. Just to understand, let us have a look

at how a typical EFRM solution works with respect to digital payments, for instance.

1. Mobile and Internet Banking

Data mining: A bank could use data mining to identify patterns of behaviour that may indicate fraud. For example, a bank could identify customers who are making unusually large or frequent withdrawals from their accounts, regardless of whether the transaction is made through mobile or internet banking. The bank could then investigate these customers to see if they are involved in fraudulent activity.

Anomaly detection: Anomaly could be used for detection to identify transactions that are outside of the normal range of activity. For example, a bank could identify a transaction that is made from an unusual location or that is made using a device that is not typically used by the customer. The bank could then investigate these transactions to see if they are fraudulent. Rule-based detection: Rules could be used to identify transactions that violate specific criteria. For example, a bank could identify a transaction that is made with a stolen credit card number. The bank could then investigate these transactions to see if they are fraudulent.

Customer authentication: Customers may be made to authenticate themselves before making a mobile or internet banking transaction. This could be done by requiring customers to enter a password, use a fingerprint scanner, or answer a security question. This would help to prevent fraudsters from accessing customer accounts without their permission.

Transaction limits: Limits could be set on the amount of money that can be transferred or withdrawn in a single mobile or internet banking transaction. This would help to prevent fraudsters from stealing large amounts of money in a single transaction.

Transaction alerts: Alerts could be sent to customers when they make unusual mobile or internet banking transactions. This would help customers to identify and report fraudulent transactions. Fraud investigation: EFRM solutions can be used to investigate fraudulent mobile or internet banking transactions. This could involve reviewing transaction data, interviewing customers, and tracing the money trail.

2. ATMs

Data mining : Existing data could be used for mining to identify patterns of behaviour that may indicate fraud. For example, customers who are making unusually large or frequent withdrawals from ATMs could be identified and then investigate to see if they are involved in fraudulent activity.

Anomaly detection: Anomaly detection may be used to identify transactions that are outside of the normal range of activity. For example, a transaction could be identified that is made from an unusual location or that is made using a device that is not typically used by the customer.

Rule-based detection: Rules may be set to identify transactions that violate specific criteria. For example, a transaction could be identified that is made with a stolen credit card number. The ATM operator could then investigate these transactions to see if they are fraudulent.

Physical security: An ATM operator could implement physical security measures to deter fraudsters from tampering with ATMs, for instance, by installing security cameras and alarms at ATMs.

The above examples are provided to understand how a typical fraud risk management solution aids banks in management of fraud risk.

5.6 Conclusion

It is critical to understand the importance of Cyber fraud in the Banking industry which is increasing day by day. In order to curtail/minimize cyber frauds, most effective tool is educating the internal and external users. It is necessary to understand the vulnerability of the system and the various solutions and processes available so as to have better control over cyber fraud.

Technology has become integral to banking, enhancing both asset and liability management, and significantly improving customer convenience through various delivery channels. The adoption of electronic payment systems has facilitated faster fund transfers, supporting increased commercial and financial transactions. However, this widespread use of technology brings challenges, including obsolescence, complexity of

systems, vendor risks, cyber threats, data privacy issues, and the need for robust governance and compliance with legal requirements. These risks can lead to operational, credit, market, and reputational risks, impacting customer confidence and potentially jeopardizing a bank’s stability.

The RBI has introduced guidelines to strengthen IT governance, requiring banks to establish IT committees, conduct regular risk assessments, implement service level agreements with IT vendors, and ensure comprehensive information security. Furthermore, the RBI’s fraud risk management guidelines emphasize the need for a fraud risk assessment process, prevention programs, and fraud detection mechanisms, particularly in digital banking. Banks are expected to use enterprise fraud risk management solutions to monitor and mitigate fraud, employing techniques such as data mining, anomaly detection, customer authentication, and transaction limits across digital and ATM channels. These frameworks aim to ensure operational continuity, protect customer data, and preserve the bank’s reputation in the face of emerging technological risks.

5.7 Check Your Progress

1. What describes operational risks from technology in banking?

(a) Poor management decisions

(b) System failures causing disruptions

(d) Non-compliance with legal requirements

2. Challenge of rapid technological advancement in banking?

(a) Dependence on manual processes

(b) Frequent system obsolescence

(d) Eliminating vendor risks

3. What is a compliance risk in banking technology?

(a) Not meeting regulatory requirements

(b) Legacy system obsolescence

(d) Overuse of encryption

4. What is the impact of vendor-related concentration risks on banks?

(a) Less dependency on in-house IT

(b) Relying on a single provider

(d) Better regulatory compliance

5. What is a social engineering threat in banking?

(a) Malware attacks

(b) Poor network firewalls

(d) Unauthorized access via brute force

5.8 Answers to Check Your Progress

1. (b) System failures causing disruptions

2. (b) Frequent system obsolescence

3. (a) Not meeting regulatory requirements

4. (b) Relying on a single provider

5. (c) Phishing for credentials

Rs. 965/-

INFORMATION SYSTEM FOR BANKS

AUTHOR : Indian Institute of Banking & Finance (IIBF)

PUBLISHER : Taxmann

DATE OF PUBLICATION : May 2025

EDITION : 2025 Edition

ISBN NO : 9789364550673

NO. OF PAGES : 632

BINDING TYPE : Paperback

DESCRIPTION

Information System for Banks is a concise yet comprehensive guide that converges modern banking operations with technology. It reflects the rapid digitisation of financial services—covering vital elements such as information systems, cybersecurity, legal frameworks, and audit standards. By blending foundational concepts with practical practices, the book equips readers to navigate the evolving digital banking landscape confidently.

This book is intended for the following audience:

• Banking Professionals and Auditors

• Students and Exam Aspirants

• IT & Security Practitioners

• Senior Management and Decision-makers

The Present Publication is the 2025 Edition, updated by Mr Naga Mohan Gollangi (Former Chief Information Security O cer – Bank of India) and vetted by Mr Burra Butchi Babu (Former General Manager – Bank of India). Taxmann exclusively publishes this book for the Indian Institute of Banking and Finance with the following noteworthy features:

• [Contemporary Insights] Spotlights digital payments, mobile banking, data privacy, and evolving cyber threats

• [Regulatory Alignment] Incorporates Payment & Settlement Systems Act, IT Act (with amendments), RBI guidelines, and ISO standards (27001, 22301)

• [Comprehensive Syllabus] Tailored to the Certiﬁed Information System Banker exam, covering technology foundations, legalities, continuity, and audit

• [Practical Approach] Features checklists, Q&A sections, and everyday examples promoting hands-on learning

• [Structured Learning] Organised into seven modules, enabling a clear progression from basics to advanced security and audit topics

• [Foreword by Industry Leaders] Reﬂects IIBF's vision of fostering tech-savvy banking professionals

• [Future-ready] Includes cutting-edge discussions on AI, ﬁntech, blockchain, and regulatory adaptation