How can RBI’s latest guidelines help Indian banks combat cybercrime?

Rising cybercrime in India is no secret. According to a report by Symantec, India now ranks 3rd in the world, after the US and China, as a source of malicious activity. In fact the National Crime Records Bureau data reveals that in the three years up to 2013, registered cases of cyber crime were up 350 percent, from 966 to 4356. Dubious distinctions both, and give banks and the financial sector in India cause for worry.

Keeping in mind the dramatic swell in online economic crimes, India’s central bank – RBI (Reserve Bank of India) recently issued a comprehensive circular to all banks in India urging them to implement a cybersecurity framework. It prescribes the ideal approach for banks on taking concrete measures to combat cybercrime, fraudulent activities online and thereby retain customer confidence, reduce financial losses and ensure business continuity.

Cybersecurity measures for banks as outlined by RBI’s circular

In light of the rising frequency and impact of cyber attacks, the RBI circular to banks urges them to take adequate measures that are robust and resilient which address and tackle risks posed by cyber criminals, and in the meantime also put in place an adaptive Incident Response Management and Recovery framework to deal with adverse disruptions if and when they occur.

The foundation for fighting cyber crime would stem from a Bank Board approved cyber security policy that outlines the approach for combating cyber crime. This policy is not to be confused with the IT policy or IS security policy and its strategy should encompass some of the following:

  • Identify and assess risks, technologies adopted, regulatory compliance, delivery channels (online/ mobile, etc.), organizational culture, internal and external threats, and processes and policies in place to manage and combat risk
  • Continuous surveillance by testing for vulnerabilities through a SOC (Security Operations Centre) that is constantly updating on the nature of emerging cyber threats
  • IT architecture to be conducive to security measures to be implemented by the bank post assessment of readiness and ensure that network connections to database are allowed through a well defined process and by authorized personnel only
  • Ensuring the confidentiality, integrity and security of customer data is preserved, without any compromise of the same
  • Formulating a Cyber Crisis Management Plan (CCMP) whose primary focus should be: detect, response, recovery and containment to address various types of cyber threats including and not limited to: distributed denial of services (DDoS), ransom-ware / crypto ware, destructive malware, business email frauds including spam, email phishing, spear phishing, whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost administrator exploits, identity frauds, memory update frauds, password related frauds, ‘zero’ day attacks, remote access threats and more.


Baseline Cybersecurity requirements – an indicative list

Banks need to fortify the measures adopted to achieve baseline security and resilience. For instance:

  • monitor logs and incidents in real time or near real time
  • configure hardware and software appropriately
  • automate network discovery and management
  • use the right tools and mechanisms to detect unusual activities in servers, end
    points and network devices
  • protect customer access credentials such as logon user-id, authentication information and tokens, access profiles, etc. against leakage/attacks
  • implement controls to minimize invalid logon counts, deactivate dormant accounts
  • monitor any abnormal change in pattern of logon

The RBI circular mandates a detailed list of cyber defence apparatus. It is evident that a large majority of these measures and requirements can be fulfilled by robust software tools and products that are built for specific purposes. But banks must also remember that from a day-to-day operations’ perspective, it is imperative to have a system that monitors, tracks, alerts and preempts any anomalies that occur in banking transactions, in real time.

“Detect and prevent” as it happens and not wait for end-of-the-day reporting of incidents that are suspicious. In fact RBI’s circular lists out the implementation of risk-based transaction monitoring or surveillance process as part of fraud risk management system across all delivery channels.

In addition to optimizing available technology to strengthen controls for effective risk and fraud management, banks need to conduct employee and management awareness workshops, encourage them to report any suspicious behavior to the incident management team, and conduct targeted training for key staff in operations/ management roles and evaluate awareness periodically.

In parallel, banks need to conduct awareness programmes for their customers and encourage them to report phishing mails/ phishing sites, highlight the risks of sharing their online account credentials, passwords, and other measures they can take to protect themselves from fraudsters and people with malafide intent.

The RBI circular also touches upon the topic of governance aspects which include dashboards, intelligence, proactive monitoring and management capabilities with sophisticated tools for detection, quick response and backed by data and tools for sound analytics.  In addition, banks must keep in mind several other issues while equipping themselves to fight cyber attacks: technology issues, people related issues and process related issues.

It would be fair to assume that if Indian banks were to proactively implement an intelligent, cross-channel anti-fraud defense mechanism, the impact of cybercrime (if/when it occurs) can be vastly minimized.


Source: RBI Circular of June 2016

CustomerXPs hosts “Secret Sauce for Fighting Financial Crime” in association with CISCO

“How can I make my bank safe and keep those fraudsters out?”, “What are the latest approaches to enterprise fraud management in banks?”, “How can I pro-actively & quickly be compliant to ever changing regulatory norms?”, “Can compliance to regulations & enterprise fraud management go hand-in-hand?”

These are some common questions baffling bankers not just worldwide but especially in India, where the fraud scenario is pretty grim. According to the latest statistics published by Deloitte, 93% of bankers in India indicated that there has been an increase in fraud incidents in the last two years. Majority of the respondents also stated that the average time taken to uncover a fraudulent transaction was a little less than 6 months while they were only able to recover less than 25% of the lost amount.

In order to provide feasible solutions to such challenges, CustomerXPs, in association with CISCO, recently hosted an event “Secret Sauce for Fighting Financial Crime” at Hilton Mumbai on June 25, 2015. Senior bankers hailing from multinational banks as well as cooperative banks were amongst the invitees. The objective of the event was to discuss and exchange views on the recent trends and developments in Enterprise Financial Crime Management space.

Eminent speakers from the banking industry were invited to share their experiences on their fraud management journey and emphasize on the role of technology in combating enterprise financial fraud. Top-level executives from CustomerXPs and CISCO also spoke about the challenges faced by bankers in India and elaborated on building the bank of the future by implementing enterprise wide, cross-channel fraud prevention technology.

The event not only served as a great learning platform but also helped leaders from across the banking and technology industries to network and share ideas.

To know more about the event and its takeaways, email us at

Understanding Financial Crime, its Implications & How to Combat it

Financial crime is a serious criminal offense that is escalating at an alarming rate. Worldwide losses due to financial crime have been estimated to have crossed 3 Trillion USD. Banks worldwide have been struggling to identify and combat financial crime in order to minimize risks.

Let’s have a look at the most common kinds of financial crime prevalent today and their magnitude of threat:-

Account Takeover: Account takeover involves having a fraudster take over another person’s account, first by gathering personal information about the intended victim, then contacting their card issuer by impersonating the genuine cardholder, and asking for mail to be redirected to a new address. As per a study conducted by Phishlabs in 2013, account takeover fraud grew annually by 69% worldwide.

Application Fraud: Application fraud takes place when a fraudster uses stolen or fake documents to open an account in another person’s name.

Check Fraud: Check fraud involves making use of checks unlawfully in order to acquire or borrow funds that do not exist within the account balance. As per a report released in 2014 by JPMC, 82% of bankers surveyed reported that checks were the primary target for fraud attacks at their companies.

Internal Fraud: Internal fraud is broadly defined as an employee’s misuse or misappropriation of an employer’s resources or assets for personal gain. 72% of organizations worldwide are said to have been plagued with insider fraud sometime or the other.

Money Laundering: Money laundering is the process of creating the appearance that large amounts of money obtained from serious crimes, such as drug trafficking or terrorist activity have originated from a legitimate source. According to a recent report released by KPMG, 88% of bankers globally see AML as a priority.

Phishing: Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Reports suggest that an estimated 5.9 Billion USD was lost to phishing in 2013 alone with North America being the most targeted geography.

Skimming:  The theft of payment card information is called skimming. The thief can procure a victim’s card number using basic methods or more advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of victims’ card numbers. In Europe alone, cash losses owing to skimming incidents exceeded 248 Million EUR in 2014.

Implications of financial crime are extensive. High-profile frauds & money laundering not only cause massive monetary losses but often lead to litigation costs due to non-compliance of various regulations. Apart from financial damages, organizations face irreparable blow to their reputation and hence end up losing potential customers. The only viable solution lies in implementing a strong combat mechanism that protects organizations against multi-channel fraud in real-time.

Combating Financial Crime

Initially, fraud was mostly an opportunistic crime committed by small-time fraudsters. But today, the banks and their customers face a very different world. As the size and sophistication of products, channels and services have grown, so have the types of fraud. Money laundering is also proving to be one of the most prevalent kinds of financial crime today. Therefore coming up with a robust combat strategy is essential for the management of financial crime. It involves the following:-

Alignment of Anti-money laundering & Anti-fraud efforts: Both fraud risk and money laundering are key containment areas within an organization with respect to operational risk management. It makes sense for the banks to implement a unified platform for both anti-fraud & AML that will facilitate optimization of the efforts of investigation teams.

Enabling customer state view: The new age fraud monitoring systems go way beyond fraud detection, they essentially provide fraud prevention and transaction decline solutions. For this to happen, the solution should be able to view the customer state view within the duration of the customer action completion.

Influencing outcome in real-time: Financial Crime has traditionally been detected through an array of post facto analysis software. While these systems are immensely effective in all the regulatory reporting, the one thing they fundamentally lack is to influence an outcome at point of interaction. Though most of the current generation fraud detection systems work in near real-time for processing transactions, banks need real-time fraud detection systems which can process banking events from core banking systems within milliseconds.

There is more to the ideal combat strategy. To know further, download our e-book ‘Guide to Managing Financial Crime in 2015’ here.