Digital banking needs more control—II

To repeat the last paragraph of the first part of the article, the first control mechanism in ATM operation is confidential PIN. This PIN has to be very unique in feature. It must have reasonable validity, and on expiry, it has to be changed, otherwise accessibility of Card will be denied by the machine. For any reason, if the PIN is wrongly entered successively twice, the card will be automatically locked by the system and unlocking thereof will require special security screening process. Similarly, measures will have to be in place to use the most technologically advanced card for banking machine. We are not sure, what kind of card is being used in our country. At present, card with chip and pin is used in the developed world because chip and pin card is believed to contain all security features and recognised as fraud protective.
SECOND CONTROL: The second control of ATM transaction is the withdrawal cap which limits the maximum amount and frequency of transaction per day of each account. Whenever any attempt is made to exceed maximum cap or hit the highest frequency limit, the system will automatically lock the respective ATM card which requires a special security screening process to unlock cards. This withdrawal parameter must not be any flat amount or number, instead this number will heterogeneously vary from customer to customer. This maximum withdrawal cap in terms of both amount and frequency of transaction will have to be determined based on customers' income, average deposit, lifestyle, estimated withdrawal per day or per transaction and some other relevant factors. Consideration must be given to keep the withdrawal cap as minimum as possible. If a large amount of transaction exceeding the withdrawal cap is required for any unavoidable reason, the card holder will have to intimate the card issuer which will conduct some security screening process like unlocking of card. Keeping ATM withdrawal minimum has some advantages; the criminals will have to undertake innumerable transactions to make some money which is troublesome and risky, so they may not get interested at all. At the same time if fraud takes place, the loss remains minimum and thus the risk is mitigated.               
 We understand that ATM in our country should have maximum withdrawal ceiling. But the amount seems to be very high at present which eventually allures the fraudsters. In the recent fraud, Tk 1.753 million (17.53 lakh) was withdrawn in 24 attempts from ATM booths of a particular bank which shows an average maximum withdrawal of Tk 730 thousand (0.73 lakh) was allowed per transaction. Allowing such large-scale withdrawal from ATM without further verification or security screening indicates that there is no adequate inbuilt control mechanism to prevent fraudulent transaction. Had there been appropriate control mechanism, the system would have automatically directed the card holder to the concerned department where security verification would have been completed to effect the desired payment. During last Christmas shopping season I purchased some furniture, the payment of which was paid using my credit card. Since this was a big amount, charging of credit card was declined with request to contact with the office and accordingly I called the number provided on the card and the responsible officer verified my identity and cleared the payment. This does not necessarily mean to deny the use of credit limit but follows some extra security screening.
It may be mentioned that ATM card, bank card, debit card and credit card are more frequently charged on PoS (Point of Sales/Service) rather than ATM machine and there is every possibility of using stolen or duplicate card. In order to prevent the use of theft or lost or duplicate card, the system must have been in place to randomly ask some verification questions viz. ID verification, postal code, last four digits of phone number etc. and the system will not effect the payment unless the required questions are satisfied.
THIRD CONTROL:  The third control is real-time monitoring of transaction and reconciliation thereof. Every service providing bank should maintain a well-equipped operational department. This office is, of course, different from a call centre because the responsibility of call centre is very limited as it only receive calls and reply based on some predetermined questions. On the other hand, the Operation Department not only supports services to the card holders but also carries out real-time monitoring, does reconciliation and conduct security screening. Besides, enhanced verification and investigation as well as troubleshooting of the transaction, when necessary, are also done by this department. This office is equipped with advanced technology and well-trained competent officers. Personnel working in this department will never be represented by their own name, instead, a symbolic name or ID will be provided to each employee for their personification. This office remains open round the clock. Communication is exclusively made through telephone with recording device. Officers are strictly barred from receiving outgoing call and will only be allowed to receive inbound call. Telephone calls are automatically distributed to the employees on a random basis, so no officer will know which call will be received by him. Even if repeat call is required to resolve one particular transaction, it is very unlikely that the same officer will receive the call. As soon as any telephone call is received for the first time, a transaction reference number is provided to the customer who will use this reference number every time he calls until the issue is resolved. The officers work in a system where there is a provision of writing down the note/brief summery of the issue raised by the customer and action so far undertaken by that dealing officer. So when next time the same customer calls, the responding officer will mostly likely be different but will be able to know the history of the case from the system which will appear as soon as he opens the file using the reference number. Security screening, enhanced verification, prior notice verification for withdrawing large amounts will have to be done from this office.
This type of control mechanism has been developed so that bankers' connivance and collaboration with fraudulent activities can be avoided.  Some transactions are captured in the account, so officers may be assigned with responsibility to constantly monitor the transaction history randomly sorted out through system-generated parameter. If real-time monitoring is not possible, after EoD (End of the day) is run, transaction history should be viewed in the system. A card holder encountering any problem or requiring prior intimation, security screening, enhanced verification for successful execution of any transaction will be advised to contact with this office from where necessary solution will be provided.
This control mechanism may seem to be a very cumbersome and time-consuming procedure but it is not so. This, in fact, is a technologically advanced operation procedure. Within a very short time, the customer's query is met and their problem is resolved. This is a very common practice not only in the developed world but also in many developing countries.          
FOURTH CONTROL: The fourth control is prior intimation by the customer for using debit/credit card outside his or her residence area. Whenever the cardholder desires to charge card outside his own resident country, prior intimation will be provided. Cards issued outside Bangladesh is not supposed to have any adverse impact in our country's bank.  If I use my credit card issued by a Canadian bank in Bangladesh and any fraudulent activity takes place, the matter is exclusively related to Canadian bank and me.  In this situation neither banks in Bangladesh nor the government has anything to do. So for using card issued by a Bangladeshi bank outside the country, prior intimation will be a mandatory requirement. Otherwise, card charge may be rejected or even though small amount of transaction is allowed, the responsibility of any fraudulent activity will entirely rest on the card holder. This practice is meticulously followed in the North American financial market as an additional precautionary measure so that any fraud attempt can be averted.     
FIFTH CONTROL: The fifth control is maintaining compensation account. ATM, credit card, etc. are very sophisticated banking service which require substantial technological infrastructure. So this service cannot be provided free of cost, rather relatively higher price is charged for this sophisticated banking service. Better the service, higher the price should be the marketing motto of ATM card and credit card. Further this service poses potential threat of fraud and bad debt for which the bank may incur huge financial losses. In order to minimise this loss, the bank has to maintain a good amount of compensation account wherein fund is accumulated by retaining good amount of service charge realised from ATM and credit card. In the developed world, interest on credit card is exorbitantly high ranging from 19 per cent to 29 per cent but the issuing bank can realise very small amount of interest as the lion share is retained in the compensation account to make good losses which may arise out of credit card fraud as well as writing off bad debt which are very common phenomena in the credit card business.
Finally, there must have a committee comprising bank's IT department, Credit Department and Internal Control Department who will constantly review and evaluate the technology being used in the bank and will recommend upgrading thereof. In our banking industry, there is a perception of expecting all technological solutions from IT department which is a wrong approach. We have to keep in mind that IT department will ensure only technological aspect. Actual requirement and necessary security features will come from bank's business and operation department. Bank's operation department will submit requirement and establish features which IT department will ensure while developing technology. In addition, this committee will periodically conduct survey, collect feedback from the concerned bank officers, customers and will also carry out mystery shopping and based on their findings, specific recommendations will be submitted to upgrade the system. In this context, Bangladesh Bank will have to provide policy support which they are very efficiently doing. Even in many respects, Bangladesh Bank is far ahead of the commercial banks. Considering the recent fraud and subsequent developments, Bangladesh Bank issued a circular on March 03, 2016 stipulating specific ten recommendations/directions for commercial banks as a preventive measure. Now it is the turn of the commercial banks because this is their product and services and they make revenue thereon, so their fort will have to be protected by themselves.   
This is the technological era, so we will have to learn to live with technological advancement. Technology comes with the potential threat of fraud. However, fraud threat will never deter the growth of using technology in banking, instead it will march forward with faster pace in the years to come. It is estimated that global value of yearly transaction using cards on PoS will increase to USD 210 billion by 2019 from present USD 8.7 billion. Mobile wallet is not far away. For handling the technological threat, various control parameters have been developed. We will have to both adopt new technologies and establish appropriate control parameters. Needless to say that technology moves from developed countries to developing countries but all control parameters do not move because establishing appropriate control mechanism involves cost which makes technology more expensive but the vendors always try to sell at cheap price compromising control factors. Moreover, the demand of control parameters must come from the buyers and keeping this in view, our bankers will have to be well-prepared to raise the control issue as integral part of technologies to be procured. Ensuring appropriate control is equally important for every areas of digital banking so as to mitigate the risk of fraud associated with technology-based banking.    
The writer is a banker based in Toronto, Canada.
 [email protected]