A flurry of instances of cyber fraud has prompted the National Bank for Agriculture & Rural Development (Nabard) to ask state cooperative banks (SCBs) and district central cooperative banks (DCCBs) to take steps to curb the menace. The apex development bank’s advisory, sent early last week, has cautioned against fraudulent transactions entering the system unless sufficient control and security features are incorporated in the computer system.
The 31 SCBs and 229 DCCBs countrywide have been told to obtain insurance cover in some of the risks such as cost of replacing data, software and equipment. It may also be possible to insure the consequential losses to a bank following damage to computer resources and consequent business interruptions. However, insurance should not be regarded as a substitute for a good control mechanism, according to the Nabard advisory.
Nabard said a majority of the cooperative banks and regional rural banks have not employed qualified computer personnel. They have not provided training to existing staff and taken similar steps for human resource development in the area of information technology. There is lack of awareness among staff on the security system available with the technology, especially maintaining secrecy of passwords. Further, there is a lack of awareness at management level for adoption of technology, governance, risks and controls. Some of the banks depend fully on service providers for managing the system, without entering into a comprehensive agreement on ethical aspects of the company and personnel employed by the company. Some banks have even allowed the persons working for the computer agency to transact entire operations of the bank.
A senior Nabard official said the bank had taken cognisance of incidences of cyber fraud in the past two years. “In one case fraud,” he told Business Standard, “an employee of the service provider perpetrated it in collusion with some of the account holders by making fraudulent credit entries in the saving bank accounts of certain depositors. They withdrew them subsequently.”
In another case, a bank manager colluded with the service provider and defrauded Nabard. In yet another case, a junior officer misused the password of his bank’s branch manager and defrauded the bank, he added.
The official informed that the banks have now been told to establish controls through the principle of least privilege means: every individual is given access only to the sensitive information/data or programme strictly required for one’s job — nothing more. Further, the banks need to apply the principle of maker-and-checker. Meaning for each transaction: there must be at least two individuals — one may create the transaction, the other would confirm or authenticate it.
The 1982-founded Nabard has asked cooperative banks to standardise security procedures covering hardware, software backup, storage of both computer records and reports, stationery and evolve data-processing procedures, backup procedures covering all computer systems of the bank and made known to all concerned. Further, these banks would have to create awareness of various systems in non-computer departments such as credit, deposits, development, general operations department, systems and procedures department.
Besides, Nabard has asked SCBs and DCCBs to establish procedures for conveying sensitive control information including limits, drawing power, interest rates, charges, forex rates by the concerned divisions to computer section.