THE BANKING INDUSTRY AND INFORMATION banks in 2002 was $500 million, is expected to

TECHNOLOGY : A REVIEW grow by 25% a year in next few years.

 The lecture presents a study which aims to analyze  Banks will spend on IT and related fields an eye
the role of information technology in banking opening huge amount of money.
industry.
 Importance of banking industry in boosting Effects…
economic progress of a nation.  Certain technological changes have improved the
 Use of information technology for all round Banking sector tremendously.
growth.  Policy makers have made some notable changes
 To support the industrial, commercial, agricultural like enhancing payments system, integrating
and other services sector, the banking sector plays regulations between commercial & co-operative
a very vital role. banks.
 Information systems are now exposed to a number  It can be concluded that for better performance
of technology products like banks need new technology
 Net Banking
 Mobile Banking Electronic Banking
 Shopping Electronic banking is defined as:the automated delivery
 TIcket Booking of new and traditional banking products and services
 Bill Payment directly to customers through electronic, interactive
 Fund Transfer communication channels.
 Automated Teller Machines
Bangko Sentral ng Pilipinas
Influence of Technology Circular No. 240
 Technological innovations have enabled the Series of 2000
industry to open up new delivery channels. The Monetary Board, in its Resolution No. 577 dated
 Taking the help of IT to deal with the challenges April 7, 2000, approved the following guidelines on the
that the new economy poses. provision of electronic banking services:
 Various countries banking services used by the
citizens of countries were automated for 1. To require banks to seek prior Bangko Sentral ng
convenience. Pilipinas approval before they can be allowed to
 To increase the customer value by using some provide electronic banking services. Applicant banks
analytical methods in Customer Relationship must prove that they have in place a risk management
Management (CRM) applications. process that is adequate to assess, control and monitor
any risks arising from the proposed electronic banking
OUTCOMES activities. As a basic requirement, banks shall submit to
 Mobile banking service is used at the most in the Supervisory Reports and Studies Office, for
Kenya. processing of their applications, the following
 In US banking sector, it is examined that use of IT documents:
will reduce the operational cost of the banks.
 Malaysian banking sector adopted the CRM a. A description or diagram of the configuration of the
technology and confirmed the role of CRM bank’s electronic banking system and its capabilities
performance as the mediators in relationship showing (i) how the electronic banking system is linked
between trust and E-banking adoption. to other host systems or the network infrastructure in
 According to the National Association of Software the bank; (ii) how transaction and data flow through the
Services Companies (NASSCOM) the IT market for network; (iii) what types of telecommunications
channels and remote access capabilities (e.g. direct
modem dial-in, internet access, or both) exist; and (iv)
what security controls/measures are installed; 2. Internet Approach:
b. A security policies and procedures manual containing Users directly log on to their bank website and
(i) a description of the bank’s security organization; (ii) complete all their work online.
definition of responsibilities for designing, E- Banking devices
implementing, and monitoring information security  Personal computers (PCs),
measures; and (iii) established procedures for  Personal digital assistants (PDAs),
evaluating policy compliance, enforcing disciplinary  Automated teller machines (ATMs), Kiosks,
measures and reporting security violations; and  Touch tone telephones,
 Cellular and smart phones
c. Other information such as (i) how the provision of
electronic banking is intended to support the overall Benefit of E-Banking
mission, strategic goals, and operating plans of the  Anytime banking ,and anywhere banking
bank; (ii) whether the various security aspects of the  Online Banking is much cheaper for the bank. A
system have been reviewed by persons with relevant survey says that Online Banking costs only 10% of
expertise; and (iii) whether a contingency plan has been branch services
developed in the event of disruption in its provision in  Reduction in cost of transaction
electronic banking.  Pay bills online there by saving postal services.
For this purpose, electronic banking shall refer to  Easy to make utility payment
systems that enable bank customers to avail  Online purchases
themselves of the bank’s products and services through  The services are available seven days a week, 24
a personal computer (using direct modem dial-in, hours a day.
internet access, or both) or a mobile/non-mobile
phone. Drawback of E-banking
 Difficult in adoption technology
2. To require banks which are already offering  Fear of technology
electronic banking services prior to the effectivity of the  High cost of technology
implementing circular to comply with the requirements  Lack of preparedness
mentioned in item “1” above within a period of 3  Restriction on usage of technology
months from the effectivity of the implementing
circular; otherwise, they shall be prohibited from Wireless banking
further engaging in such activities.  Wireless banking is gaining popularity.
This Circular shall take effect immediately.  With a phone number and a special PIN number a
customer has access to his account balance from
his cellular device.
FOR THE MONETARY BOARD  Allows user to pay bills, transfer funds between
(Signed) accounts and check accounts from anywhere.
RAFAEL B. BUENAVENTURA  Banks like Česká spořitelna, M-bank, CSOB bank
Governor offers wireless banking in Czech Republic.
 Security is an important issue in Wireless Banking.
Two approaches E-banking  Newsbytes reports that wireless banking users will
1. Dial-in Approach: number over 50 million in the US by 2012 and in
Requires users to have a separate finance software, so Europe almost 70 million.
that they can do all the process offline and connect to Security features
the bank just for transactions.  Security is a primary concern in internet banking
 SSL (Secure Sockets Layer) protocol is used to
ensure data security between customer’s browser
and web server.
 SSL provides data encryption, data integrity and
server authentication.
 512 bit data encryption.
 Customer database is protected by double
firewalls.

Simple safety measures

 Change Your password periodically.
Why is there a need to adopt EMV technology in the
 Review your bank accounts frequently.
Philippines?
 Try to use low limit credit card for internet
The EMV chip technology has been proven effective in
transactions
significantly reducing counterfeit fraud, skimming and
other related attacks perpetrated in magnetic stripe
Conclusion
payment cards. Consequently, fraudsters have shifted
 The strategy of bank is to provide value added
their efforts to countries which are still highly reliant on
services and products to the customers, Utilizing
the magnetic stripe technology, such as the Philippines.
the internet extensively.
Thus, it is imperative for the Philippines to adopt EMV
 The main aim of e-banking is to making
technology to address the increasing rate of counterfeit
transactions through online poses and make
fraud, safeguard the interests of the public and
costumer more benefical.
promote interoperability with international payment
networks. Towards this end, the BSP has put in place
What is EMV?
the necessary regulatory and supervisory framework to
EMV (stands for Europay, MasterCard and Visa) is the
enable the migration of the entire payment network to
global standard for credit, debit, and prepaid
EMV technology. This is fundamental to BSP’s mandate
card payments using the chip card technology. EMV
to foster the development of safe, secure, efficient and
chip-based payment card is a more secure
reliable retail payment systems and uphold consumer
alternative to traditional magnetic stripe payment
protection.
cards.

What are the relevant BSP regulations governing EMV

What makes EMV different from the traditional
migration?
magnetic stripe card payment?
 BSP Circular No. 808 dated 22 August 2013
In terms of customer experience, EMV chip-compliant
Requires BSP-Supervised Financial Institutions (BSFIs) to
cards are read in what is called “card dipping”
shift from magnetic stripe technology to EMV chip-
mechanism instead of the usual swiping of magnetic
compliant cards, point-of-sale (POS) terminals and
stripe cards. Because of the additional validation and
automated teller machines (ATMs).
data flows for the EMV chip-compliant card, the process
 BSP Circular No. 859 dated 24 November 2014
may not be as quick as the swiping process. Hence, the
Provides the EMV implementation guidelines which set
customer must be patient and understand the trade-off
forth BSP’s supervisory expectations with respect to
between security and performance. The infographic
management of risks while migrating the payment
below shows the EMV chip card acceptance/validation
network to the EMV platform.
process:
 BSP Memorandum No. M-2016-011 dated 31
August 2016
Provides guidance on the adoption of chip and Personal stripe cards with EMV chip-compliant cards. Consumers
Identification Number (PIN) as the primary cardholder are advised to update their contact details with their
verification method for EMV compliant Philippine- banks to ensure they receive timely notifications and
issued debit cards. other advisories (e.g. when they will be issued a
 BSP Memorandum No. M-2016-013 dated 27 replacement chip-based
September 2016 card).
Requires BSFIs to submit quarterly reports indicating
the status of their EMV migration activities and When is the deadline for EMV migration?
compliance to the BSP. 01 January 2017 – the deadline for all BSFIs to migrate
 EMV Card Fraud Liability Shift Framework to EMV technology all Philippine-issued debit, prepaid
(ECFLSF) and credit cards, ATMs, POS terminals, and other
Establishes the framework which sets forth the general similar devices and underlying payment platforms and
principles in the allocation of liability and resolution of applications.
disputes on fraudulent transactions arising from
counterfeit cards. What happens when BSFIs are not yet fully complied
by 01 January 2017?
How will the EMV requirement affect - While the EMV infrastructure and environment are
 BSP Supervised Financial Institutions? still in the process of achieving full stability, customers
All BSFIs with card issuing and acquiring functions are may still use their magnetic stripe cards after 1
primarily responsible for migrating their payment card January 2017. However, non- or partially compliant
products and card-accepting devices/terminals to EMV BSFIs shall be subject to ECFLSF. This means that the
technology in compliance with pertinent BSP BSFIs which have not yet or have only partially
regulations. Activities to migrate to EMV include the adopted the EMV technology shall be held responsible
replacement of terminals (e.g. ATMs), replacement of for losses associated with the use of a counterfeit card
the software that drives these terminals (i.e. hosts), as in a card-present environment. The BSP may impose
well as the replacement of the payment cards (e.g. additional enforcement actions pursuant to BSP
ATM/debit card and prepaid card) previously issued. Circular No. 875 dated 15 April 2015 on BSFIs that fail
 Players in the Domestic Payment Network? to demonstrate
Key players in the domestic payment network should conscientious effort towards full EMV compliance.
also prepare their respective systems, terminals and
network to support EMV technology. These include How does the ECFLSF operate?
merchants, providers of ATMs, POS terminals and A BSFI that has enabled secure EMV technology shall
similar devices, card vendors, card personalization be protected from financial liability arising from losses
bureaus and domestic switch (BancNet) responsible for on counterfeit card fraud. The liability for this type of
processing and handling domestic transactions. fraud shall shift to the BSFI which is not or is only
Since most of these players normally partially compliant with the EMV requirement.
partner/coordinate with issuing/acquiring BSFIs, it is The allocation of liability for counterfeit fraud is
incumbent upon all affected BSFIs to ensure that these summarized as follows:
key players comply with BSP guidelines on EMV
technology.
 Cardholders/Customers?
To protect their accounts from fraudulent transactions
arising from counterfeit and skimming attacks, debit,
credit and prepaid cardholders should cooperate with
their issuing banks in the replacement of their magnetic
 the lT profif e of all BSFIs and classify them as
"Complex", "Moderate" or "Simple". The lT profile
Do we expect zero incidence of counterfeit fraud and refers to the inherent risk of a BSFI before application
skimming upon implementation of the EMV of any mitigating controls, and is assessed taking into
technology? consideration the following factors:
While EMV technology has been effective in minimizing
counterfeit fraud and skimming, it is not a silver bullet a. lT infrostructure and operations. Inherent lT risks of
or a one-time solution. However, it is far more secure a BSFI largely depend on the degree of automation of
than magnetic stripe technology which is virtually core processes and applications, the size of branch
defenseless against card skimming. Given the rapidly networks, and the characteristics of its lT organization.
evolving cyber-threats and the increasing ability of BSFls with larger branch networks and more complex
fraudsters to circumvent existing controls, BSFIs should organizational structures usually require a higher
continuously monitor developments and assess risks degree of reliance on lT systems/infrastructure, which
pertinent to their payment networks and systems. in turn, carry higher levels of inherent lT risks.
Likewise, BSFIs should ensure that an interplay of lnterconnectivity risks also play a factor in determining
technology, people and processes on top of adequate lT risk levels since added connections to third party
governance and risk management mechanisms are in networks increase complexity as well as exposure to
place to effectively address emerging payment systems potential information security/cybersecurity risks.
risks and threats. These include participation in electronic payment
systems and interconnections with other financial
OFFICE OF THE GOVERNOR institutions, business partners, customers, and third
clRcuLAR NO.982 party service providers, among others.
Series of 2OL7
Subject: Enhanced Guidelines on lnformation Security b. Digital/Electronic financial products and services.
Management Digital/electronic financial products and services
The Monetary Board, in its Resolution No. 1854 dated 2 provided to the BSFI's corporate and retail clients, by
November 2OI7, approved the revisions to the their very nature, can have a direct impact on lT risks,
guidelines on information security management of including information security/cybersecurity risks.
Bangko Sentral Supervised Financial Institutions (BSFls) This is because these products and services are
in line with rapidly evolving technology and cyber- normally provided via the internet or public networks
threat landscape, amending relevant provisions of the which are inherently risky. Digital/electronic financial
Manual of Regulations for Banks (MORB) and Manual of products and services include ATM debit, prepaid and
Regulations for Non-Bank Financial Institutions credit cards and e-channels such as ATM
(MORNBFI) as follows: terminals, point-of-sale (POS) terminals, internet
banking and mobile banking facilities, among others.
Section 2. Subsections X177.3 and 4177Q.3, 41.965.3 , BSFIs that are more aggressive in providing such
4t77P.3 and 4196N.3 of the MORB and MORNBFI, services are expected to have greater lT risks.
respectively, are hereby amended to read as follows:
Subsection Xt77.314L77Q.314L965.314t77P.3/4196N.3. c. lT proiects ond initiotives. The extent and nature of
lT Profile Classification. the BSFI's lT projects prospectively impact lT risk
exposure and complexity. For instance, developing or
To ensure that lT risk management system, governance acquiring a new core banking system is considered a
structure and processes are commensurate with the major project, that if not adequately managed and
attendant lT risks, the Bangko Sentral shall determine overseen, may heighten inherent lT risks. Also, lT
projects and initiatives entail the use of current
resources in terms of funding and manpower that might
affect existing !T operations and risk profile.
d. Outsourced services. While outsourcing in general
does not diminish the BSFI's responsibility over the
function/service outsourced, outsourcing poses an
added dimension to lT and information security risks.
For this reason, outsourcing arrangements require a
higher degree of oversight, due diligence, and risk
management controls. Outsourcing core lT services and
functions via cloud computing platforms may further
intensify lT and information security risks.

e. Systemic importonce. The systemic importance of a

BSFI is a critical determinant in assessing inherent lT
and information security/cybersecurity risks since BSFIs
identified as "Domestic Systemically lmportant Banks"
or DSIBs are essentially larger in size and have more
complex operations and product offerings. Moreover,
cyber-attacks against DSIBs can have serious
implications to financial and economic stability that
may undermine public trust and confidence in the
financial system.

f. Threats. The volume, type, and severity of cyber-

attacks and fraud targeting a specific BSFI affects lT and
cybersecurity risk profiles. Some BSFIs may be more
prone to attacks compared to others by virtue of their
asset size, customer base, systemic importance, and
other factors. Thus, BSFIs that are likely targets of these
types of threats should have greater degree of cyber-
preparedness and resilience.
A general description for each lT profile classification
is outlined as follows: