The new year started with a huge cyber fraud involving French bank Societe Generale. Jerome Kerviel, a trader with a good knowledge of the banks’ compliance, control and back-up systems, defrauded it of $7.2 billion (Rs28,512 crore). This is the biggest banking fraud after Nick Leeson wrecked Barings Bank in 1995.
Kerviel was able to conceal trading of $116.8 billion in fictitious accounts — and get away without any alarms being raised because of his deep knowledge of the working of the bank’s systems.
This happened despite the fact that the bank had installed all the relevant alarms and firewall software to capture unusual trading patterns. It had 2,000 people in the compliance department.
What has happened at Societe Generale raises questions about the safety of banking procedures. Some critics are also debating the overdependence on computer-based banking systems.
Now, investigations are on and Kerviel is being interrogated. But some basic questions do arise about how such a fraud could go unnoticed for such a long time.
Most top banks have been at the forefront in implementing the Basel 2 norms, which are meant to cover operational risks in banking. That a single employee with his knowledge of the system and with a few passwords, which should not have been with him, could get away with a fraud of this magnitude suggests two things—either he was an expert at hacking and breaking into the passwords of his colleagues, or his colleagues colluded with him and provided their passwords.
Banks have gone online with a vengeance in the past 10 years. They use more computer infrastructure and functions to manage operations as well as their back-office functions and compliance. Efficiency has vastly improved, both across the world and in India.
But the wrong sort of people are increasingly using online banking to pull off cyber frauds. Many incidents of cyber crimes and cyber attacks go unreported because banks fear they will lose face — and goodwill.
Globally, cyber crimes have been increasing and, in the past few years, have transformed from petty attempts to focused attacks on banking infrastructure. Many nations have responded by declaring banking networks critical infrastructure.
They thus attract policy-level attention. This entails deploying the best security and data storage tools, increasing employee-level compliance to best practices, keeping control systems and ensuring regular audits of network activity. Banks need to act at two levels—one is to secure their own network, while the other is to make the customer experience more secure. Thus in the former, banks have invested in robust networks that have strong redundancy factors built into them and also have disaster recovery systems so that servers at different locations can start functioning if there is a shutdown at the primary site. At the customer end, banks have brought in more secure forms of authentication such as the two-factor authentication and dynamic logging.
Yet, all this cannot be foolproof if humans are determined to beat the system. In almost 70% of cyber fraud cases, employee collusion is directly or indirectly responsible. So, a combination of multiple human controls and computer support is the best working model to avoid catastrophic events. Today, risk management involving online networks is becoming a common global banking practice.
The Reserve Bank of India, way back in 2001, had issued guidelines for regular cyber security audits in banks. These guidelines have not been made mandatory till date. It is up to banks to follow these regulations.
There have been a few instances where banks have lost money in cyber frauds—and such risks continue to grow with more and more people joining the online banking bandwagon. According to a recent report, cyber frauds have already touched 3-4% of total turnover. It is for the Indian banking community to migrate to better banking practices and infrastructure to match up to global standards and remain protected.
No doubt, the Societe Generale incident is a wake-up call to many banks across the world to have a relook at their security systems. Banking regulators should have more watchdog capabilities to ensure that banks comply with best practices and guidelines. Steps have to be taken to see that cases of frauds don’t go unreported.
Security audit reports have to be made more regular and central banks should have the provision to audit banks at any point of time. Also, global cooperation among the banking regulators has to be made stronger so that many of the cyber criminals operating from different geographical zones can be nabbed without legal hurdles.
The Council of Europe Draft Convention on cyber crimes has taken care of such provisions and has also made cyber crimes extraditable. But its implementation, and the global support for it, is still a question.
While all efforts are being made to rope in more online customers, the need for better protection has to always be a point of focus.
And one cannot ignore the human dimension of cyber security.
Subimal Bhattacharjee writes on cyber security issues. Comment at firstname.lastname@example.org