Distance Learning Course- 2022-23

Certified Professional in
Cooperative Banking – Level-II

Module 4:
Banking Technology and
Management

2022
Centre for Professional Excellence in Cooperatives (C-PEC),
Bankers Institute of Rural Development (BIRD)
(NABARD’s Training Institution)

Sector-H, LDA Colony, Kanpur Road, Lucknow – 226 012, INDIA

Phone +91-522-2421799

Email [email protected]

Homepage https://bird-cpec.nabard.org/,
https://birdlucknow.nabard.org/
Table of Contents

1 Unit 1: Introduction to Information Technology ................................... 2

1.1 Lesson No. 1 Introduction to Computers ...................................................... 2
1.1.1 Objectives .......................................................................................... 3
1.1.2 Introduction .................................................................................... 3
1.1.3 IT Impact on modern banking ............................................................ 3
1.1.4 RBI and other regulators ................................................................... 5
1.1.5 IT as business enabler ....................................................................... 6
1.1.6 Role of Information & Communication Technology ............................... 7
1.1.7 Computer architecture ...................................................................... 9
1.1.7.1 Input devices ................................................................................ 9
1.1.7.2 Output devices ........................................................................ 10
1.1.7.3 Components of a Computer .......................................................... 11
1.1.8 Let us sum up ................................................................................ 13
1.1.9 Key words ..................................................................................... 13
1.1.10 Check your progress questions ......................................................... 13
1.1.11 Terminal questions......................................................................... 14
1.2 Lesson No. 2 Operating Systems, System Software & Languages ................. 15
1.2.1 Objective....................................................................................... 16
1.2.2 Introduction to Operating System..................................................... 16
1.2.2.1 Objectives of an Operating System ............................................. 17
1.2.2.2 Desktop Operating System ........................................................ 18
1.2.2.3 Operating systems for mobile devices ......................................... 20
1.2.2.4 Server operating systems .......................................................... 21
1.2.3 Languages ..................................................................................... 22
1.2.4 Let us sum up ................................................................................ 22
1.2.5 Key Words .................................................................................... 22
1.2.6 Check your progress-questions ......................................................... 22
1.2.7 Terminal questions......................................................................... 23
1.3 Lesson No. 3 Servers & Browsers ............................................................ 24
1.3.1 Objective....................................................................................... 25
 1.3.2 Introduction to application servers ................................................... 25
1.3.3 Web browser and web server ........................................................... 26
1.3.4 Let us sum up ................................................................................ 28
1.3.5 Key Words .................................................................................... 29
1.3.6 Check your progress- questions ........................................................ 29
1.3.7 Terminal questions......................................................................... 29
1.4 Lesson No.4 Application Software ........................................................... 30
1.4.1 Objectives ..................................................................................... 31
1.4.2 Application software ....................................................................... 31
1.4.3 Packaged software .......................................................................... 32
1.4.4 Customized software....................................................................... 33
1.4.5 Word Processor ............................................................................. 33
1.4.5.1 Features of a Word Processor .................................................... 34
1.4.6 Spreadsheets ................................................................................. 36
1.4.7 Let us sum up ................................................................................ 38
1.4.8 Keywords ...................................................................................... 38
1.4.9 Check your progress -questions ........................................................ 38
1.4.10 Terminal questions......................................................................... 39
1.5 Lesson No. 5: Computer Networks .......................................................... 40
1.5.1 Objectives ..................................................................................... 41
1.5.2 Introduction .................................................................................. 41
1.5.3 Networking objectives ..................................................................... 41
1.5.4 Types of networks .......................................................................... 42
1.5.5 Internet ........................................................................................ 45
1.5.5.1 Intranet ..................................................................................... 46
1.5.6 Networking hardware or networking equipments ............................... 47
1.5.7 Let us sum up ................................................................................ 48
1.5.8 Keywords ...................................................................................... 48
1.5.9 Check your progress- Questions ....................................................... 48
1.5.10 Terminal questions......................................................................... 49
1.6 Lesson No. – 6 Data Base Management ................................................... 50
 1.6.1 Objectives ..................................................................................... 51
1.6.2 Introduction .................................................................................. 51
1.6.3 Advantages of DBMS ...................................................................... 51
1.6.4 Data models .................................................................................. 53
1.6.5 User management .......................................................................... 54
1.6.5.1 File management system ........................................................... 54
1.6.6 Structured query language (SQL)...................................................... 55
1.6.7 Let us sum up ................................................................................ 55
1.6.8 Key words ..................................................................................... 56
1.6.9 Check your progress-questions ......................................................... 56
1.6.10 Terminal questions......................................................................... 56
1.7 Lesson No. –7 Data Communication ....................................................... 57
1.7.1 Objectives ..................................................................................... 58
1.7.2 Leased lines................................................................................... 58
1.7.3 Advantages/disadvantages of leased lines .......................................... 60
1.7.4 Multi-Protocol Label Switching (MPLS) ............................................ 60
1.7.5 Virtual Private Networks (VPN) ....................................................... 61
1.7.6 Satellites ....................................................................................... 62
1.7.6.1 Uses of communications satellites .............................................. 63
1.7.7 Wi-Fi ............................................................................................ 64
1.7.8 WiMAX ........................................................................................ 65
1.7.9 Let us sum up ................................................................................ 65
1.7.10 Keywords ...................................................................................... 66
1.7.11 Check your progress Questions......................................................... 66
1.7.12 Terminal questions......................................................................... 67
1.8 Lesson No. 8 Important Terminology .................................................. 68
1.8.1 Objectives .................................................................................... 69
1.8.2 Indian Financial Network ................................................................ 69
1.8.3 National Financial Switch (NFS) ................................................... 70
1.8.4 Data Warehouse............................................................................. 70
1.8.5 Data mining in business .................................................................. 71
 1.8.6 VISA & MasterCard ........................................................................ 72
1.8.7 IP Address .................................................................................... 75
1.8.8 Routing ........................................................................................ 75
1.8.9 Public-key cryptography.................................................................. 76
1.8.10 Let us sum up ................................................................................ 76
1.8.11 Key Words .................................................................................... 76
1.8.12 Check your progress questions ......................................................... 77
1.8.13 Key to questions asked .................................................................... 77
1.8.14 Terminal questions......................................................................... 77
2 Unit 2: Banking Technology and Management .................................... 79
2.1 Lesson No. 9 Core Banking .................................................................... 79
2.1.1 Objectives ..................................................................................... 80
2.1.2 Introduction ................................................................................ 80
Changing the face of Indian banking: .................................................... 81
2.1.3 Core Banking Products.................................................................... 83
2.1.4 Branch operations .......................................................................... 87
2.1.5 System administration & server administration .................................. 88
2.1.6 Let us sum up ................................................................................ 89
2.1.7 Key words ..................................................................................... 90
2.1.8 Check your progress-questions ......................................................... 90
2.1.9 Terminal questions......................................................................... 90
2.2 Lesson No. 2 Delivery channels .............................................................. 92
2.2.1 Objectives ..................................................................................... 93
2.2.2 Introduction .................................................................................. 93
2.2.3 Automated Teller Machine .............................................................. 93
2.2.4 Internet banking ............................................................................ 98
2.2.5 Mobile banking/SMS banking .......................................................... 99
2.2.6 Phone banking ............................................................................. 100
2.2.7 Debit card ................................................................................... 100
2.2.8 Credit cards ................................................................................. 101
2.2.10 Let us sum up ................................................................................. 113
 2.2.11 Key Words ................................................................................ 114
2.2.12 Check your progress- Questions .................................................... 114
2.2.13 Terminal questions ........................................................................ 114
2.3 Lesson No. 3 Inter Bank Payments ........................................................ 116
2.3.1 Objectives ................................................................................... 117
2.3.2 Real Time Gross Settlement System (RTGS)..................................... 117
2.3.3 National Electronic Fund Transfer (NEFT) ...................................... 123
2.3.4 What is IMPS ............................................................................. 130
2.3.5 Negotiated dealing system ............................................................. 133
2.3.6 Let us sum up .............................................................................. 133
2.3.7 Key Words .................................................................................. 134
2.3.8 Check your progress Questions....................................................... 134
2.3.9 Terminal questions....................................................................... 135
2.4 Lesson No. 4 E-commerce ................................................................ 136
2.4.1 Objectives .................................................................................. 137
2.4.2 E-commerce .............................................................................. 137
2.4.3 Types of E-commerce ................................................................. 139
2.4.4 Benefits of E-commerce ............................................................. 139
2.4.5 Disadvantage of E-commerce ..................................................... 140
2.4.6 Components of E-commerce ...................................................... 141
2.4.7 Payment gateway ....................................................................... 143
2.4.8 Types of payment gateways........................................................ 145
2.4.9 Authentication of payment......................................................... 145
2.4.10 Let us sum up ........................................................................ 147
2.4.11 Key words ............................................................................... 147
2.4.12 Check your progress- Questions ............................................. 147
2.4.13 Terminal questions ................................................................. 148
2.5 Lesson No. 5 Back office operations ................................................. 149
2.5.1 Objectives .................................................................................. 150
2.5.2 Back-office Operations .................................................................. 150
2.5.3 Inter Bank Reconciliation .......................................................... 151
 2.5.4 Investment Management............................................................ 152
2.5.5 FOREX operations ..................................................................... 152
2.5.6 Risk management ...................................................................... 152
2.5.7 Customer Relationship Management ......................................... 153
2.5.8 Data Centre Management .......................................................... 154
2.5.9 Let us sum up ........................................................................... 155
2.5.10 Key words ............................................................................... 155
2.5.11 Know your progress questions ................................................ 155
2.5.12 Terminal-Questions ................................................................ 156
2.6 Lesson No. 6 Important Terminology ................................................ 157
2.6.1 Objectives .................................................................................. 158
2.6.2 Introduction .............................................................................. 158
2.6.3 Electronic money ....................................................................... 158
2.6.3.1 E- Cheques ......................................................................... 158
2.6.3.2 MICR electronic clearing ...................................................... 159
2.6.3.3 Digital signature .................................................................. 160
2.6.3.4 PKI ...................................................................................... 160
2.6.3.5 Secure Electronic Payment Protocols (SEPP)........................ 160
2.6.3.6 RFID ................................................................................... 160
2.6.4 Let us sum up ........................................................................... 161
2.6.5 Key Words ................................................................................. 161
2.6.6 Check your progress Questions ................................................. 161
2.6.7 Terminal questions .................................................................... 162
3 Unit 3: Cybercrimes, Security and Control ...................................... 164
3.1 Lesson no. 15 Introduction to Cyber Crimes .................................... 164
3.1.1 Objectives .................................................................................. 165
3.1.2 Ethics in Cyber Space................................................................ 165
3.1.3 Privacy....................................................................................... 165
3.1.4 Property ..................................................................................... 166
3.1.5 Security ..................................................................................... 166
3.1.6 Accuracy.................................................................................... 166
 3.1.7 Accessibility, censorship and filtering ........................................ 167
3.1.8 Freedom of information ............................................................. 167
3.1.9 Criminalization of cyberspace & current trends in cyber crimes 167
3.1.10 Definition of cybercrime .......................................................... 168
3.1.11 Conventional crime v/s cyber crime ....................................... 169
3.1.12 Threats to information security in banks in India ................... 170
3.1.13 RBI Guidelines ....................................................................... 171
3.1.14 Let us sum up ........................................................................ 172
3.1.15 Key Words .............................................................................. 172
3.1.16 Know your progress questions ................................................ 173
3.1.17 Terminal questions ................................................................. 173
3.2 Lesson No. 2 Types of cyber crimes .................................................. 175
3.2.1 Objectives .................................................................................. 176
3.2.2 Types of cyber crimes.................................................................... 176
3.2.3 Categorization of cyber crimes ................................................... 178
3.2.3.1 Unauthorized access for illegal financial gains..................... 178
3.2.3.2 Piracy .................................................................................. 179
3.2.3.3 Hacking ............................................................................... 179
3.2.3.4 Cyber-terrorism ................................................................... 179
3.2.3.5 Cyber War ........................................................................... 179
3.2.4 Let us sum up ........................................................................... 180
3.2.5 Key Words ................................................................................. 180
3.2.6 Know your progress questions ................................................... 180
3.2.7 Terminal questions .................................................................... 181
3.3 Lesson No. 17 Cyber crime in banks ................................................ 182
3.3.1 Objectives .................................................................................. 183
3.3.2 Cyber Crimes in banks .............................................................. 183
3.3.2.1 Data related crimes ............................................................. 183
3.3.2.2 Software related crimes ....................................................... 184
3.3.2.3 Physical crimes ................................................................... 184
3.3.3 Sabotage .................................................................................... 185
 3.3.4 Malwares ................................................................................... 185
3.3.5 Online crimes ............................................................................ 185
3.3.5.1 Computer virus ................................................................... 186
3.3.5.2 Safe Computing Practices .................................................... 189
3.3.5.3 Worms................................................................................. 190
3.3.5.4 Trojan Horse ....................................................................... 190
3.3.6 Software Bombs......................................................................... 191
3.3.7 Spoofing .................................................................................... 191
3.3.8 Spamming ................................................................................. 192
3.3.9 Let us sum up ........................................................................... 193
3.3.10 Key Words .............................................................................. 194
3.3.11 Know your progress questions ................................................ 194
3.3.12 Terminal questions ................................................................. 194
3.4 Lesson 18 Security and control ........................................................ 196
3.4.1 Objectives .................................................................................. 197
3.4.2 Introduction .............................................................................. 197
3.4.3 Information security measures .................................................. 198
3.4.3.1 Operating system security ................................................... 198
3.4.3.2 Database system security .................................................... 200
3.4.3.3 Network system security ..................................................... 201
3.4.4 Let us sum up ........................................................................... 206
3.4.5 Key words .................................................................................. 206
3.4.6 Key to know your progress ......................................................... 206
3.4.7 Terminal questions .................................................................... 207
3.5 Lesson No. 19: IT Laws and Global Initiatives .................................. 208
3.5.1 Objectives .................................................................................. 209
3.5.2 Introduction .............................................................................. 209
3.5.3 Implications of IT Act 2000/2008 .............................................. 210
3.5.4 Impact on other Acts ................................................................. 211
3.5.5 Initiatives to prevent cyber crime ............................................... 212
3.5.6 International cooperation........................................................... 213
 3.5.7 International organizations battling cyber crime ........................ 214
3.5.8 Let us sum up ........................................................................... 217
3.5.9 Key Words ................................................................................. 217
3.5.10 Check your progress question ................................................ 217
3.5.11 Terminal questions ................................................................. 218
4 Unit 4: IT Management and Best Practices ...................................... 220
4.1 Lesson No. 1 IT Governance ............................................................. 220
4.1.1 Objectives .................................................................................. 221
4.1.2 Introduction ................................................................................ 221
4.1.3 Importance of IT governance in banks............................................. 221
4.1.4 Management control framework................................................. 222
4.1.5 IT resource management ........................................................... 223
4.1.6 Application management .............................................................. 224
4.1.7 New areas of Application ............................................................ 226
4.1.8 Change management ................................................................. 228
4.1.9 Capacity planning and monitoring ............................................. 229
4.1.9.1 Capacity management ......................................................... 232
4.1.9.2 Availability management ..................................................... 234
4.1.9.3 Supplier management ......................................................... 235
4.1.9.4 Event management.............................................................. 235
4.1.10 Let us sum up ........................................................................ 237
4.1.11 Key words ............................................................................... 237
4.1.12 Know your progress questions ................................................ 238
4.1.13 Terminal questions ................................................................. 239
4.2 Lesson No. 2 Operations management ............................................. 240
4.2.1 Objectives .................................................................................. 241
4.2.2 Introduction .............................................................................. 241
4.2.3 Work load scheduling ................................................................ 241
4.2.4 Daily activities ........................................................................... 242
4.2.5 Monthly/quarterly activities ...................................................... 242
4.2.6 System maintenance activities ................................................... 242
 4.2.7 Network service management .................................................... 243
4.2.8 Regular staff training ................................................................. 244
4.2.9 Let us sum up ........................................................................... 244
4.2.10 Key words: .............................................................................. 245
4.2.11 Know your progress questions........................................................ 245
4.2.12 Terminal questions ................................................................. 246
4.3 Lesson No. 3 System and functionality performance ........................ 247
4.3.1 Objectives .................................................................................. 248
4.3.2 Introduction .............................................................................. 248
4.3.3 Functions of system components ............................................... 248
4.3.4 Functions of database ............................................................... 249
4.3.5 Security management ................................................................ 249
4.3.6 Multiuser access control ............................................................ 250
4.3.7 Backup and recovery management ............................................ 250
4.3.8 Data integrity management ....................................................... 250
4.3.9 Monitoring performance with task manager ............................... 252
4.3.10 Let us sum up ........................................................................ 253
4.3.11 Key Words .............................................................................. 254
4.3.12 Know your progress questions ................................................ 254
4.3.13 Terminal questions ................................................................. 255
4.4 Lesson No. 4 IT Infrastructure Management .................................... 256
4.4.1 Objective.................................................................................... 257
4.4.2 Introduction .............................................................................. 257
4.4.3 Risk management of IT infrastructure ....................................... 258
4.4.4 Risk categorization .................................................................... 259
4.4.5 Risk mitigation .......................................................................... 259
4.4.6 Incident and problems management practices ........................... 260
4.4.7 Business continuity and disaster recovery planning .................. 263
4.4.8 BCP methodology....................................................................... 264
4.4.9 Testing a BCP ............................................................................ 266
4.4.10 Let us sum up ........................................................................ 267
 4.4.11 Key words ............................................................................... 268
4.4.12 Know your progress questions ................................................ 268
4.4.13 Terminal questions ................................................................. 269
4.5 Lesson No. 5 Important terminologies .............................................. 270
4.5.1 Objective.................................................................................... 271
4.5.2 IS Audit ..................................................................................... 271
4.5.3 EDP audit .................................................................................. 272
4.5.4 Committee of Sponsor Organization of the Tradeway Commission
(COSO) 272
4.5.5 COBIT ....................................................................................... 273
4.5.6 Information Technology Infrastructure Library (ITIL) ................. 273
4.5.7 Let us sum up ........................................................................... 274
4.5.8 Key words .................................................................................. 274
4.5.9 Know your progress questions ................................................... 274
4.5.10 Terminal questions ................................................................. 275
4.5.11 Additional reading .................................................................. 275
 Abbreviations

AAA American Accounting Association

AICPA American Institute of Certified Public Accountants
APBS Aadhaar Payment Bridge System
AEPS Aadhar Enabled Payment System
APEC Asia-Pacific Economic Cooperation
API Application Programming Interface
ASEAN Association of South East Asian Nations
ATM Asynchronous Transport mode
ATM Automated Teller Machine
BASIC Beginners All-purpose Symbolic Code
B2B Business to Business
B2C Business to Consumer
BHIM Bharat Interface for Money
BQR Bharat QR
BCM Business Continuity Management
BIA Business Impact Analysis
BPO Business Process Outsourcing
BSP Basic Service Provider
CASA Current And Savings Account
C2C Consumer to Consumer
CBS Core Banking Solutions
CCA Computer Certifying Authority
CCIL Clearing Corporation of India Limited
CDMA Code Division Multiple Access
CERT-IN Computer Emergency response Team-India
CFL Computer Forensic Labs
CIO Chief Information Officers
CISO Chief Information Security Officer
COBIT Control Objectives for Information and Related Technologies
COBOL Common Business Oriented Language
COSO Committee of Sponsoring Organizations of the Treadway
commission
CPU Central Processing Unit
CRM Customer Relationship Management
CRR Cash Reserve Ratio
CTINS Cyber Crime Technology Information Network System
DBA Data Base Administrator
DDL Data Definition Language
DDS Distributed Denial of Service
DML Data Manipulation Language
ECS Electronic Clearing System
EDI Electronic Data Interchange
EPM Enterprise Performance Management
EMI Equated Monthly Instalment
ERP Enterprise Resource Planning
FEI Financial Executives International
FBI Federal Bureau of Investigation
FORTRAN Formula Translation
FTP File Transfer Protocol
GB Giga Byte
GDP Gross Domestic Product
GEQD Government Examiner of Questioned Documents
GPRS General Packet Radio Service
GUI Graphical User Interface
HDD Hard Disk Drives
HTTP Hyper Text Transfer Protocol
IANA Internet Assigned Numbers Authority
IDRBT Institute for Development and Research in Banking and
 Technology
IDS Intrusion Detection System
IETF Internet Engineering Task Force
IIA Institute of Internal Auditors
IMA Institute of Management Accountants
IMPS Interbank Mobile Payment Service
InFINET Indian Financial Network
IP Internet Protocol
IRR Internal Rate of Return
ISDN Integrated Service Digital Network
ISMS Information Security Management System
ISP Internet Service Provider
IT Information Technology
ITAA Information Technology Association of America
ITES IT Enabled Services
ITIL Information Technology Infrastructure Library
JIT Just In Time
KB Kilo Byte
LAN Local Area Network
MAIT Manufacturer Association of Information Technology
MAN Metropolitan Area Network
MB Mega Byte
MICR Magnetic Ink Character Recognition
MIS Management Information System
MLATs Mutual Legal Assistance Treaties
MPLS Multi-Protocol Label Switching
NASSCOM National Association of Software and Service Companies
NCRB National Crimes Record Bureau
NEFT National Electronic Funds Transfer
NFS National Financial Switch
NIM Net Interest Margin
NPA Non-Performing Asset
NPCI National Payment Corporation of India
OS Operating System
PAN Personal Area Network
PDO Public Debt Office
PKI Public Key Infrastructure
PoS Point of Sale
QoS Quality of Service
RAM Random Access Memory
RBI Reserve Bank of India
ROM Read Only Memory
RPO Recovery Point Objective
RTGS Real Time Gross Settlement
RTO Recovery Time Objective
SEC Securities Exchange Commission
SEEP Secure Electronic Payment Protocols
SET Secure Electronic Transfer
SLR Statutory Liquidity Ratio
SQL Structured Query Language
SSL Secure Socket Layer
TBA Total Branch Automation
TCP Transmission Control Protocol
TE Traffic Engineering
TLS Transport Layer Security
ULSA Ultra Large Scale Integrated Chips
UPI Unified Payment Interface

URL Uniform Resource Locator

VDU Visual Display Unit
VLAN Virtual Local Area Network
VPN Virtual Private Networking
WAN Wide Area Network
 BANKING TECHNOLOGY AND MANAGEMENT

SYLLABUS

Title of the Topics covered

Chapter chapter
Lesson
No.
1 Introduction IT Impact on modern banking, IT as a business
enabler - Importance of Information and
Communication Technology - Computer
architecture, IT Policy
2 Operating System, Overview of Desktop OS, Server OS, Windows,
System Software UNIX, Linux etc. - Languages- Programmes.
And Languages
3 Servers & Browsers Application servers - Web servers – Web browsers
4 Application Packaged software, Custom build software - MS-
Software word, MS-excel, Word processing, spread sheet,
etc.
5 Computer Net Network Layers – Protocols – IP address – LAN –
Works WAN, VLAN, Internet and intranet, network
equipment’s and network gateways,
6 Data Base DBMS, Structure, Models, File management
Management system, user management, Authentication, SQL
7 Data Leased Lines, CLL, MPLS, VPN, Satellite links, Wi-
Communication Fi, Wi –Max
8 Important Indian Financial Net Work (INFINET), National
Terminology Financial Switch (NFS), Payment Gateway, Data
Warehousing, Data Mining, VISA, MASTER Card,
IP Address, Routing, PKC.
Unit 2

1 Core Banking Centralized Banking System, Core Banking

System, Core Banking Products, Branch
Operations, System Administration, Data base
administration, Server Administration, Network
Administration
2 Delivery Channels Automated Teller Machine, Internet banking,
Mobile banking, SMS banking, Phone banking,
Debit card, Credit card, Smart card, POST, etc.
3 Inter Bank RTGS, NEFT, Negotiated Dealing System and
Payments Securities Settlement System.
4 E- Commerce Types of E-commerce, Secure Electronic Transfer,
Payment Gateways, Authentication of payments
5 Back Office Interbank reconciliation, Investment Management,
Operations Forex operations, Risk Management, Customer
Relationship Management – Data Centre
Management
6 Important Electronic money, E- Cheques, MICR Electronic
Terminology Clearing, Digital Certificate, Digital Signature, PKI,
Secure Electronic Payment Protocols (SEPP),
RFID.
Unit 3

1 Introduction Ethics in Cyber Space, Criminalization of cyber

space, Current trends and developments,
Definition of cyber crimes, General crime Vs Cyber
crime, Threats to information security, RBI
Guidelines for banks
2 Types of Cyber Criminal intentions, Classification of Cyber Crime
Crimes - Crime against individuals, Crime against
Institutions, Crime against State, Various types of
Cyber Crimes, Cyber war, Cyber terrorism
3 Cyber Crime in Physical crimes, Online crimes, Viruses, Worms,
Banks Trojan horse, Malwares, Software Bombs,
Phishing, Spoofing, Spamming, Denial of Service
Attack (DoS) etc.
4 Security and Security policy – Information security measures –
Control OS Security, Data base security, Network security
– Control techniques
5 IT Laws and Information Security Act 2000, Other applicable
Global Initiatives Acts, Legislative, law enforcement and Judicial
initiatives, International cooperation and initiative
- challenges
Unit 4

1 IT Governance Bank policy - Management control framework –

Data Resource Mgt- Application Control
Framework - Process Controls - Capacity planning
and monitoring – Change Management Process -
Adoption of best practices.
2 Operations Work load scheduling – Network service
Management management – Preventive maintenance - Regular
staff training
3 System and System performance monitoring process – Tools
Functionality and techniques – Functions of hardware, software,
Performance data base etc.
4 IT Infrastructure Risk management – Incident and problems
Management management Practices - System resiliency tools
and techniques - Service Desk Mgt. –Change Mgt.
- Business Continuity and Disaster Recovery
Planning.
5 Important IS audit, EDP audit, Committee of Sponsor
Terminologies Organization of the Tradeway Commission
(COSO), COBIT, and Information Infrastructure
Technology Library (IITL), etc.
 Disclaimer

This book is meant for educational and learning purposes. The author of the book
has taken all reasonable care to ensure that the contents of the book do not
violate any existing copyright or other intellectual property rights of any person /
institution in any manner. Wherever possible, acknowledgements / references
have been given.
Unit 1: Introduction to Information Technology

Lesson No. 1 Introduction to Computers

Lesson No. 2 Operating System, System software and Languages

Lesson No. 3 Servers & Browsers

Lesson No. 4 Application Software

Lesson No. 5 Computer Networks

Lesson No. 6 Database Management

Lesson No. 7 Data Communication

Lesson No. 8 Important Terminology

1
1 Unit 1: Introduction to Information Technology

1.1 Lesson No. 1 Introduction to Computers

 Objectives
 Introduction
 IT Impact on Modern Banking
 RBI and Other Regulators
 IT as a Business Enabler
 Role of Information and Communication Technology
 Computer Architecture
 Input devices
 Output devices
 Components of a computer
 Let us sum up
 Key words
 Check your progress-questions
 Key to questions asked
 Terminal questions

2
1.1.1 Objectives

The objectives of this lesson are to understand

 IT Impact on modern banking

 IT as a business enabler
 Importance of Information and Communication Technology
 Computer architecture
 IT Policy
1.1.2 Introduction

This lesson will cover how technology has changed the modern Banking. In fact
Information Technology drives every business of an economy. This lesson also
takes care of the overview of the computer architecture and the role of
Information and Communication Technology.

1.1.3 IT Impact on modern banking

After the advent of desktops in the early nineties, they have reached not only
large commercial organizations but also to every home. Desktops have totally
changed the working and functioning at every level.

Every bank –from private sector, public sector and co-operative sector has a role
to play in the Indian Economy given the need for financial inclusion. Banks are
also facing tough challenges in the liberalized economy. The challenges are in the
form of competition from other Banks as well as ever changing needs,
expectations and aspirations of customers. Computerization in Banks has to be
seen from these perspectives. In the following paragraphs, the expectations of the
different stakeholders of Banks are highlighted only to bring to fore the role of
computerization.

Customers

The needs and expectations of customers have been undergoing a change at a

rapid speed. Bill Gate had said that customers want banking and not banks. The
need of banking services may be fulfilled through various delivery channels.
ATM, Mobile, Internet, Branch are the different channels available for delivering
the banking services. POS with Banking Correspondents (BCs) are fast emerging
as a viable alternate delivery channel for banks. Carrying out banking services
through these channels gained momentum after the introduction of Core
Banking. Before introduction of CBS in banks, automation was only limited to
branch computerization or Total Branch Automation (TBA). While TBA helped to

3
automate the manual processes in the branches of banks, they continued to be
independent silos without connecting to each other. Core Banking changed the
definition of a Bank and a customer. Customer no more remained customer of a
branch. He/she became a customer of the bank. Geographic division of branches
was removed in one go by linking them to one another through the network of
leased lines. Availability of leased line connectivity with required bandwidth at
reduced rates from different telecom service providers helped banks to achieve
delivery of services through various channels. No bank can afford to have a wrong
notion that its class of customers are totally different and that it would not
require services through any other channel except branch banking. Co-op Banks
are obviously required to gear up to adapt to these changes and meet the
expectations of customers.

Evolving payment system

Traditionally customers used to have limited options for settling claims.

Settlement of claims either in the form of cash or by issuing cheques were the
only available options. Computerization and particularly Core Banking has
helped banking industry to float various alternative options for payment
purposes. Electronic Clearing Service (ECS) for debit and credit transactions has
helped banks to handle electronically, periodic recovery of loans through ECS
debit and effect periodic payments such as interest on deposits, bonds and
dividends on shares through ECS credit. Cheque truncation introduced in New
Delhi and now in Chennai would require banks to retain cheques at the collecting
bank’s end, with an obligation to send the images of these cheques to the clearing
house. CTS is now across the country. The clearing houses would therefore be not
restricted to small towns and cities but would cover wider areas as they would get
bifurcated at four places in Mumbai, Delhi, Calcutta and Chennai. RTGS and
NEFT options available to customers have helped in transferring funds from one
bank account to another instantaneously in case of RTGS and within one hour in
case of NEFT. IMPS, the new initiative offered by the Payment Corporation of
India is available to customers of every member bank for transfer of funds from
one bank to another on 24/7 basis and 365 days a year. Usage of ATMs has
facilitated withdrawal of cash as per customers’ convenience and usage of POS for
effecting payment towards purchases/services availed. It is, therefore, obvious
that every bank small or big irrespective of the sector in which it is operating, has
to gear up to get integrated to every evolving payment system in the country.

Internet and Mobile

Telecom industry has helped banks to deliver their services to customers. While
internet is penetrating small and big towns and every nook and corner of the

4
country, with the increased bandwidth, it is said that there are more mobiles than
bank accounts in India. While there would be a limited entry barrier in case of
usage of computers by households for internet purpose, in case of mobile this is
not true and it can be handled with ease and convenience by literate and illiterate
alike. Banking services therefore will have to be made available through these
channels as well.

Financial Inclusion

In India, it is an accepted fact that banking has not reached the masses. While the
economy has been growing at an average rate of 7% for the last 7-8 years, the
total population below the poverty line is not decelerating at the same speed. If
the benefits of GDP growth have to reach the masses, it would be possible only if
the population is covered through banking network. RBI has, therefore, been
propagating innovative ways to reach out banking services to the rural
population. Bank Correspondent and Bank Franchise models have been proposed
for banks in all the sectors. This model would be successful only through usage of
technology. These channels would be equipped with handheld devices and would
be connected to Core Banking Data Centres of Banks through GPRS/CDMA
connectivity. Co-op Banks have been considered as the most appropriate
channels for financial inclusion particularly in the semi-urban and rural areas.

Healthy business growth

In order to be competitive, each bank small or big has to have a growing business
profile. This means a bank should not only increase its deposits and advances in
keeping with the average growth in the economy, but the growth should fetch
reasonable returns thereon. In Banks this state of affairs is well explained by key
financial indicators such as growth in deposits and in advances, in absolute and
percentage terms, Net interest margin(NIM), percentage of CASA ( Current and
Savings deposits) to total deposits; gross NPA and net NPA as percent of total
advances, business per employee and profit per employee. These indicators speak
volumes about the efficiency with which a bank is managed not only in terms of
deposits that it garners but also in terms of its manpower resources. This would
be possible only with the use of technology.

1.1.4 RBI and other regulators

Banks have to comply with the requirements of RBI not only by adhering to the
guidelines issued by it from time to time but also by submitting the returns on
time with utmost accuracy. On a fortnightly basis Banks have to submit returns
as regards Cash Reserve Ratio (CRR) and Statutory Liquidity Ratio (SLR). In
order to have close watch on the working and performance of Banks, as a

5
regulator, RBI carries out on-site inspection of branches of banks. However,
given the large no. of banks it would not be possible for RBI to ensure inspection
at regular intervals of all these banks. RBI therefore has stipulated submission of
Off-site surveillance report on a quarterly basis. This report of each bank is a
mirror for RBI to gauge and watch its functioning. For complying with AML
requirements banks have to submit information about cash transactions and
suspicious transactions on a monthly basis to FIU (IND). Besides statutory
returns as stated hereinabove, banks are also required to generate information
(MIS) for taking strategic decisions on a continuing basis. To meet these
requirements, role of technology cannot be ignored.

The various factors highlighted in the preceding paragraphs underline the

importance of technology in banks. However, it is appropriate to add a line of
caution in this regard about technology. While business would be totally driven
by the technology, it is essential that the top management have fair knowledge
about the technology to ensure that it is used by the juniors for the benefit and
development of a bank and not for personal benefits. It is also important to note
that the data of a bank which is its life line and which hitherto was scattered in
ledgers and registers would now be stored in virtual form and would be accessible
through the software programs. Banks therefore have to have proper KYC of the
vendors in as much greater detail as they do of the borrower customers and
deposit customers with whom they deal day in and day out.

1.1.5 IT as business enabler

It is almost impossible to imagine an organization’s existence without IT. Wal-

Mart, a retail chain in USA is a classic example in this regard. It created a bridge
between retail customers and the manufacturers of different products and
provided goods at cheaper and competitive rates without compromising on
quality. This integration was achieved through a smart use of technology. IT
helped them drive costs down and the savings could be passed on to their
customers. It has set high standards for competitors to compete both on price as
well as the quality front.

‘Just in time philosophy’-to ensure the availability of needed parts exactly when
they are needed thereby reducing stocking requirement- is achieved by many
automobile manufacturers by using the technology. Electronic payment system
has reached a mature stage and E-commerce has come to reality because of the
technology.

In today’s increasingly global competitive business environment, it is not enough

for organizations to know where they want their business to go, but at any given
point in time they must know where they are positioned. Organizations must plan

6
faster and do more with potentially less budget and resources. At the same time,
they must be incredibly efficient and more precise with every decision.

The strategic use of IT systems helps an organization review and align

performance of various business functions with its business plans by tracking and
analyzing key performance index (statistics and goals) via end-to-end integrated
systems such as ERP, CRM, management dashboards and early warning/alert
systems. Thus by implementing above stated tools and technologies, it provides
organizations a platform for Enterprise Performance Management (EPM).

EPM helps organizations focus on their goals, map their strategies and then
monitor and manage performance from high-level strategic goals to operational
metrics. It also helps in finding out the causes of underperformance, take action
to reduce costs and optimize profitability with the various business areas such as
sales, production, customer services and like. This leverages organizations to
analyze real-time information to make more informed business decisions. Clearly
IT acts as a strategic tool to provide competitive advantage.

LG, a consumer durables company from S. Korea, is betting big on localized

innovations, like a washing machine with speech technology that offers
instructions in Hindi, a microwave oven with 56 separate keys for Indian menus
and a remote control which can be pre-programmed to regulate both the ceiling
fan and the air conditioner. The total contribution of the company’s turnover this
year from consumer insight based products is expected to be about 10%, which
they want to increase to around 30% in the next three to four years to achieve
sound profits. This is just one example of how organizations can use IT as a
strategic tool and take competitive advantages by establishing themselves as
leaders with ‘Me Only’ products.

1.1.6 Role of Information & Communication Technology

Information plays a crucial and dominant role in an economy, that is why, it

serves as the glue between the supply chain and customer relationship as well as
it facilitates other processes, departments and organizations to work together so
as to build an integrated, coordinated functioning of an organization.

Information & Communication Technology (ICT) tools and techniques consist of

the hardware and software used throughout an organization to gather and
analyze information. Over a period of time, ICT tools and techniques have
evolved from just a support function to an essential tool of decision-making
process, which can be categorized in five phases.

7
Phase–I

Under the first phase of evolution of IT tools and techniques, it was used to
automate routine, repetitive and operational functions which were carried out
manually. It helped to handle high volume of transactions and minimized the
clerical errors while doing data entry.

Phase–II

In the second phase, technology was used to redefine the processes such as cash
management; for collection of outstation cheques in banks, Inventory
management in manufacturing organizations and sales analysis and scheduling
of production etc.

The first two phases of IT evolution were targeted towards cost reduction and
productivity enhancement exercises. Second phase helped organizations to
integrate and coordinate various functions of the same nature. These efforts
helped organizations to move towards the price war at marketplace.

Phase–III

This phase had witnessed the development of various communication networks

and easy availability of technology at a reduced price. These developments helped
organizations to work more closely as a single entity and to re–define / re–design
the business processes in enhancing productivity with profitability. Development
of communication networks made the task of data storage and its retrieval easy.
Some of the popular applications like Just in Time (JIT), Enterprise Resources
Planning (ERP), On-line shopping, payment systems through credit cards etc.,
were implemented in this phase.

Phase–IV

This phase of IT evolution is witnessing out-of-box thinking of an organization.

IT tools and techniques are helping organizations to get connected with their
suppliers, distributors, customers i.e. inter – firm coordination and integration.
With the flow of real – time information, IT gives a big boost to the real – time
decision making with higher level of accuracy. In the Indian Banking scenario, we
have been witnessing linkages between Public Sector Banks and the Regional
Rural Banks. Linkages between State Bank of India and its erstwhile subsidiaries
and the linkages between District Central Co-op Banks and the Primary
Agricultural Credit co-operatives at the village level are the outcome of this
phase.

8
The last two phases of IT evolution helped organizations to focus on their core
competency and pool together their other strengths to add value in their
offerings. This exercise leads to competition at market place based on value
addition for customers.

Phase–V

The customer expectations are ever increasing. This new paradigms will throw
challenges for an organization. Technology will ensure the automation of all
routine tasks of an organization. Intelligent human brains will be free to focus on
strategies to serve customer better i.e. transition of a physical worker into a
knowledge worker. The new organizational structure will be much more fluid,
which will lead towards the concept of a virtual organization. Information can be
for making decisions about inventory, transportation and facilities within a
supply chain as well as in formulating and implementing the strategies for
customer service in global knowledge economic organizations. In the Banking
industry we have been seeing usage of the Internet Banking and mobile banking
which has virtually created a bank branch at home and/or in the hands of the
customers.

1.1.7 Computer architecture

Computer is an electronic device that stores, retrieves, and processes data, and
can be programmed with instructions. A computer comprises hardware and
software, and can exist in a variety of sizes and configurations.

The term hardware refers to the physical components of a computer such as the
CPU, mouse, key board, monitor etc. Software is a set of instructions that makes
a computer work. Software is held either on a computer hard disk, CD-ROM,
DVD or on a diskette (floppy disk) and is loaded (i.e. copied) from a disk into a
computer’s RAM (Random Access Memory), as and when required.

Mini and Mainframe Computers are very powerful and very expensive and used
by large organisations such as banks to cater to entire business operations.
Personal Computers are cheap and easy to use. They are often used as stand-
alone computers or in a network.

1.1.7.1 Input devices

A keyboard and mouse are the standard input devices used to interact with a
computer. Other devices include joysticks and game pads which are primarily
used for games.

9
Following are the Input Devices:

 The Mouse: used to run GUI based programs such Microsoft Windows
 The Keyboard: basic input device used to interact with a computer
 Tracker Balls: input device which is an alternative to the traditional mouse
and often used by graphic designers
 Scanners: allows scanning of printed material and converts the same text
file.
 Touch Pads: input device that responds to pressure.
 Light Pens: allows users to point to areas on a screen
 Joysticks: basically used to play games.
1.1.7.2 Output devices

These devices basically provide an outcome based on instructions or commands

entered through an input device in a computer. For example: – A computer
monitor displays a result or an outcome on its screen based on the instructions
given by a user to a computer.

Similarly, a printer also provides an output based on a set of inputs given for
printing. For example, printing a text file, graphs, images etc.

Following are the commonly used output devices:

 Visual Display Unit (VDU)

 A computer screen is used for displaying an output in an understandable
format
 Printers: provides printout in a text file or on a paper. There are many
different types of printers. In large organizations, laser printers are most
commonly used as they are fast and provide high quality output.
 Plotters: an output device similar to a printer, normally used to print large
images.
 Speakers: enhances the value of educational and presentation products.
 Speech synthesizers: have ability to not only to display a text on a monitor
but also to read a text.

10
1.1.7.3 Components of a Computer

Storage Devices – These devices are used to save data and programs.
Following are the different devices which can be used to store data and programs.

Hard Disk Drives may be internal or external. They are higher capacity drives
which are also used to store an operating system, which is a first program which
is loaded into the memory of a computer and runs it.

Features of Hard Disks

Speed: Hard Disk Drives (HDD) are faster than any storage device. The speed of
a hard disk is often quoted as average access time. Speed is measured in
milliseconds. The smaller this number the faster a disk is.

Capacity: HDDs have enormous capacity to store. Often they range in storage
capacity from a few 100 of Gigabytes to Terabytes. A Gigabyte is equivalent to
1024 Megabytes.

Cost: Hard disks costs are falling rapidly and now a days they are the cheapest
way of storing data

Floppy disk drives help in storing a small file of data or program on tiny disks
which may be carried along with oneself. Pen drives and Thumb drives are other
varieties serving the same purpose of storage outside the computer.

CD-ROM Disks

Speed: These devices are slower than hard disks. The original CD-ROM
specification is given a value of 1x speed, and later, faster CD-ROMs are being
quoted as a multiple of this value.

Capacity: Around 650 Mbytes and more

DVD Drives

Speed: Much faster than CD-ROM drives but not as fast as hard disks.

Capacity: Up to 17 Gigabytes.

Cost: Slightly higher than CD-ROM drives.

Memory – It is an integrated chip used to store data and programs temporarily

before they are sent to a Central Processing Unit (CPU) in a computer. Data and
programs are loaded into the memory from an internal device like a Hard Disk or

11
external devices like CD-ROMS, Floppy drives, Flash Drives or Tapes etc. There
are various types of memories.

RAM - Random Access Memory is the main 'working' memory used by a

computer. An Operating System (OS) is loaded from a Hard Disk when a
computer is switched on and it is copied into a RAM. A computer will work faster
if more memory is available to run programs and to process data. As a rough rule,
a Microsoft Windows based computer will operate faster if there is more RAM
installed in a computer. RAM is a volatile memory, that is data and programs
stored in it will be lost when a computer is switched off.

ROM – Read Only Memory

Read Only Memory (ROM) as the name suggests is a special type of memory chip
that stores a set of instructions which can be read but not written to it. A good
example is the ROM-BIOS chip, which contains read only software. Often
network cards and video cards also contain ROM chips.

Computers use binary number system of ‘zeros’ and ‘ones’ to represent data and
programs. These ‘zeros’ and ‘ones’, are called bits. Therefore, the memory of a
computer is measured in bits of zeros and ones.

Set of bits of data is measured by the following units:

 Byte: A byte consists of eight bits.

 Kilobyte: A kilobyte (KB) consists of 1024 bytes.
 Megabyte: A megabyte (MB) consists of 1024 kilobytes.
 Gigabyte: A gigabyte (GB) consists of 1024 megabytes.
Microprocessor: It is commonly called Central Processing Unit. It is the brain
of a computer. PCs primarily use microprocessors (sometimes called as an IC
(integrated chip)). The older Intel processors belonged to 386, 486 and Pentium
family and now multi core processor computers are available in the market.

The CPU (Central Processing Unit) is the most important component within
a computer. It determines how fast computer will run and processes data and
programs. The speed of a processor ranges from a few Megahertz to a few
Gigahertz. It is the CPU that performs all the arithmetic and logical calculations
within a computer.

Operating system software: An Operating System (OS) is a special type of

program that is loaded into a memory automatically when a computer is switched
on. OS allows the use of advanced features of modern computers without having

12
to learn all the details of how hardware works. It is a link between hardware and
the user. It makes the computer easy to use without knowing the intricacies of
bits and bytes.

Packaged software: Packaged software is a general purpose program which

may be used once an operating system has been loaded into a computer. These
include word processors, spreadsheets, presentation softwares, etc.

Examples of Packaged Softwares

 Word Processors: Microsoft Word; Lotus Word Pro; WordPerfect

 Spreadsheets: Microsoft Excel; Lotus 123
 Power Point software
1.1.8 Let us sum up

Technology has transformed banking in every nook and corner of the country.
While it has enabled customers to avail banking services through multiple
delivery channels, Banks have been managing the large volumes of business with
greater efficiency and adequate controls.

1.1.9 Key words

Desktops, ATM, Mobile, Internet, CBS,TBA, ECS, RTGS, NEFT, POS, ATMs, RBI,
NIM, CASA, NPA, CRR, SLR, FIU, MIS, KYC ,ERP, CRM, EPM, ICT, JIT, ERP,
CPU, VDU, HDD, CD-ROM , DVD, RAM, Bit, Byte, Megabyte, Gigabyte,
Terabyte, Gigahertz, Megahertz, OS, ROM

1.1.10 Check your progress questions

1. Which one of the following is an input device?

a. Mouse b. Monitor
c. Plotter d. Printer

2. Which one of the following units is responsible for arithmetic and logical
operations in a computer?

a. Memory b. Hard disc

c. CPU d. Keyboard

13
 3. Which one of the following is not packaged software?

a.MS Office b. MS word

c. Core Banking Solution d. MS Excel

4. One gigabyte (GB) consists of

a. 1024 megabytes b. 1024 kilobytes

c. 512 kilobytes d. 1024 bytes

5. Which one of the following is considered as the heart of a computer?

a. Memory b. Operating system

c. Central Processing Unit d. RAM

Key to questions asked

1.a 2.c 3.c

4.a 5.c

1.1.11 Terminal questions

 Who are the stakeholders that had influenced technology in Banks?

 What are the phases through which technology has evolved over a period
of time particularly in Banks?

14
1.2 Lesson No. 2 Operating Systems, System Software & Languages

 Objectives
 Introduction to operating systems
 Objectives of operating systems
 Desk top operating systems
 Operating systems for mobile devices
 Server operating systems
 Programming Languages
 Let us sum up
 Key words
 Check your progress-questions
 Key to questions asked
 Terminal questions

15
1.2.1 Objective

The objectives of this lesson are to understand

 How an Operating System communicates between the user and a

computer
 How a result is displayed to a user
 Various different operating systems developed over a period of time
 The programming languages.
1.2.2 Introduction to Operating System

An Operating System is a link between hardware and application software in a

computer. Application software could be Microsoft Excel for using spreadsheets
or MS-Word for writing a document or Paint brush for drawing pictures.
Hardware includes memory of a computer, CPU (Central Processing Unit), input
devices such as key board, mouse, etc. and output devices such as monitors,
printers etc. Users working on a computer, therefore, need not know the language
that the hardware understands. An Operating System does the work of
communicating what a user is instructing to the hardware.

Modern operating systems use a Graphical User Interface, or GUI (pronounced

"gooey"). A GUI lets the user operate a mouse to click on icons, buttons,
and menus, and everything is clearly displayed on a screen using a combination
of graphics and text.

Each operating system's GUI has a different look and feel, so if one switches to a
different operating system it may seem unfamiliar at first. However, modern

16
operating systems are designed to be easy to use, and most of the basic features
and functions remain the same.

Before GUIs, computers had a command-line interface, which meant a user had
to type every single command in a computer, and computers could only display a
text.

Once an operating system has started up, it manages all of the software and
hardware on a computer. Most of the time, there are many different programs
running at a single point, and they all need to access a computer's Central
Processing Unit (CPU), memory, and storage. An operating system coordinates
all of this to make sure that each program gets what it needs. Without an
operating system, software wouldn't even be able to talk to hardware, and a
computer would be useless.

Operating systems may come preloaded if one places an order accordingly. Most
people use the operating system that comes along with their computers, but it is
possible to either upgrade or even change operating systems.

1.2.2.1 Objectives of an Operating System

Operating System has following objectives:

 Convenience: User can use a computer with a great amount ease and
convenience;
 Efficiency: The resources available in a system are optimally utilized.
Services provided by an operating System:

 It helps programmers to execute a program,

 by loading into a memory the required instructions and the data;
 by initializing input /output devices and files;
 by preparing other required resources;
 It provides uniform access to input and output devices which helps
programmers to access these devices using simple writes and reads.
 It helps to detect errors such as memory error, device failure or
malfunctioning of a device and software errors such as arithmetic
overflow.
 It keeps track of utilization of resources and monitors performance
parameters such as response time and input/output ratio.

17
1.2.2.2 Desktop Operating System

A desktop operating system is one that is intended for a stand-alone computer.

These Operating Systems usually come with a computer (desktop) that one
purchases. Hence, one would find that, the Windows Operating System such as
Windows 2007 or Windows XP or Windows Vista may be shipped along with a
new computer bought. Sometimes computers may be even shipped with the
Microsoft Office (application software).

The most common operating systems used by personal computers (desktops)

are Microsoft Windows, Apple Mac OS X, and Linux etc.

Microsoft created the Windows operating system in the mid-1980s. Over the
years, there have been many different versions of Windows, but the most popular
ones are Windows7 (released in 2009), Windows Vista (2007), and Windows
XP (2001). Windows comes preloaded on most new PCs, and that makes it the
most popular operating system in the world.

If one is buying a new computer or upgrading to a new version of Windows, one

can choose from several different editions of Windows available, including Home
Premium, Professional, and Ultimate. For most users, Home Premium offers
enough features, but many people tend to choose such editions which offer more
features and functions even at higher prices.

Mac OS is a line of operating system created by Apple Inc. It comes preloaded on

all new Macintosh computers, or Macs. All the recent versions are known as Mac
OS X (pronounced Mac O-S Ten), and their specific version names
are Lion (released in 2011), Snow Leopard (2009) and Leopard (2007). Apple
also offers a version called Mac OS X Server, which is designed to be run on
servers. According to Stat Counter Global Stats, Mac OS X users account
for 6.3% of the operating systems market as of June 2011 - much lower than the
percentage of Windows users (over 90%). One reason for this is that Apple
computers tend to be more expensive. However, many people prefer the look and
feel of Mac OS X.

Linux (pronounced LINN-ux) is a family of open source operating systems, which

means that they can be modified and distributed by anyone around the world.
This is very different from proprietary software like Windows, which can only be
modified by the company that owns it (Microsoft). The advantages of Linux are
that it is free, and there are many different distributions (or versions) that you
can choose from. Each distribution has a different look and feel, and the most
popular ones include Ubuntu, Mint, and Fedora. Linux is named after Linus
Torvalds, who created the Linux kernel in 1991. The kernel is the computer code

18
that is the central part of an operating system. According to Stat Counter Global
Stats, Linux users account for 0.77 % of the operating systems market as of July
2019. However, most servers run Linux because it's relatively easy to customize.

Linux Vs Macintosh Vs Windows (comparison)

OPERATING PROS CONS

SYSTEM

Windows Almost every application, One may need to buy an

driver or game will work on antivirus program, although
Windows. free ones exist.

Having so many users, one Windows, especially Vista

can always find someone and 7, requires a lot of
(either online or offline) computer resources
who can help with (memory, processor, disk
Windows. space), and thus, runs
slower.

When one gets to know

Windows well, one can find
out that there are so many
functions that will help in
performing any computing
quite easily.

Macintosh Apple Macs get almost no Mac costs more than

viruses. This is mostly due Windows.
to Window's superior
market share.
This operating system cannot
be installed on other
Macs run only on Apple machines except on a MAC
computers, and are thus PC.
less prone to hardware and
software crashing.
Only a few programs will run
on Mac, and almost no

19
 Mac looks better than games.
Windows.

Linux Linux is not a full operating Although some distributed

system. It is just a kernel. versions of Linux are quite
To use the kernel, easy to use, most of them
additional software needs require a good deal of
to be bundled with Linux. computer knowledge to use
Several hundreds of them.
these bundles (called
"distributions" or simply
"distros") exist. The most Like Mac, representing only
popular ones include a small market share, Linux
Ubuntu, Mint and Fedora. does not have as many
programs and games as
Windows.
Although being more
vulnerable to viruses than
Mac (because it is open We don’t find a lot of
source), Linux still has very vendors selling Linux
few viruses. computers. And most of the
installations are generally on
Windows computers as dual
bootable or, formatting the
hard disk of windows and
installing the Linux.

1.2.2.3 Operating systems for mobile devices

The operating systems that we've been talking about were designed to run
on desktop or laptop computers. Mobile devices such as phones, tablet
computers, and mp3 players are very different from desktop and laptop
computers, so they run on operating systems that are designed specifically for
mobile devices. Examples of mobile operating systems include Apple
iOS, Windows Phone7, and Google Android.

Operating Systems for mobile devices generally are not as fully-featured as those
made for desktop or laptop computers, and they are not able to run all of the
same software. However, one can still do a lot of things with them, such as

20
watching movies, browsing the internet, managing your calendar, playing games,
and more.

1.2.2.4 Server operating systems

These operating systems will have more features that make them suitable in a
server environment, such as

 GUI features may be available or may be available as an option,

 Ability to reconfigure and update both hardware and software to some
extent without restarting a system,
 Advanced backup facilities are available for regular online backups of
critical data,
 Transparent data transfer between different volumes or devices,
 Flexible and advanced networking capabilities,
 Automation capabilities such as daemons in UNIX and services in
Windows, and
 Tight system security, with advanced users, protection of various
resources, data, and memory is available.
Server Operating systems interact with hardware sensors to detect conditions
such as overheating of a processor and disk failure, and consequently alert an
operator to take remedial measures immediately.

Because server OS provides various services to users while a desktop computer

carries out a wide range of functions required by its user, the requirements of a
server operating system are different from those of a desktop machine. While it is
possible for an operating system to provide services and respond quickly to the
requirements of a user, it is usual to use different operating systems on servers
and on desktop machines. Some operating systems are supplied in both server
and desktop versions with similar user interface.

Windows and Mac OS X server operating systems are used by less number of
systems. The dominant operating system among server OS is an UNIX-based one
or open source kernel distributions, such as Linux (the kernel).

The progress of a microprocessor-based server was facilitated by the

development of Unix to be run on the x86 microprocessor architecture. The
Microsoft Windows NT based server Operating Systems can run on x86 family of
hardware.

21
While the role of server and desktop operating systems remains distinct,
improvements in the reliability of both hardware and operating systems have
blurred the difference between the two flavours. Today, many desktop and server
operating systems share similar code bases, differing mostly in configuration. The
shift towards web applications and middleware platforms has also lessened the
demand for special application servers.

1.2.3 Languages

Different Programming languages are in use. These are the computer languages
through which instructions or set of instructions are provided by users to
computers. An operating system converts these instructions into machine
language and gets it executed from a computer. Programming languages have
evolved over a period of time. Initially, programming languages were FORTRAN
(Formula translation), COBOL (Common Business Oriented Language), BASIC
(Beginner's All-purpose Symbolic Instruction Code). The languages are getting
evolved according to evolution in the hardware technology. Initially, the
languages were required to communicate a machine language to a computer.
With advancement in hardware, switching devices, microprocessor chips and
ULSA (Ultra Large Scale Integrated Chips), it is possible to have programming
languages similar to natural languages such as English. The languages that are
mostly used in present day programming such as Visual Basic, .net, Java, C++ are
called object oriented languages.

1.2.4 Let us sum up

An Operating System is the mediator between a user and a computer. Different

operating systems have evolved for use not only in desktops and servers but also
in mobile devices. Programming languages too have undergone a major change.

1.2.5 Key Words

MS-Word, CPU, GUI, Windows 7, Linux, Macintosh, UNIX, Languages,

FORTRAN, COBOL, BASIC, C++, Java

1.2.6 Check your progress-questions

1. Which one of the following is not an operating system?

a. Windows b.MAC

c. LINUX d. FORTRAN

22
 2. Which one of the following languages is an object oriented language?

a. COBOL Windows b. C++

c. BASIC d. FORTRAN

3. Which one of the following is not the operating system used for Mobile
devices:

a. Apple iOS b. Windows Phone7

c. Google Android d. Linux

4. Operating system is meant for:

a. It helps programmers to b. It provides uniform access to

execute a program input and output devices
c. It helps to detect errors d. All of the above

5. Which one of the operating system has least virus attacks?

a. Windows b. MAC
c. LINUX d. Linux

Key to questions asked

1.d 2.b 3.d

4.d 5.b

1.2.7 Terminal questions

 What are the objectives of an operating system?

 Which are the programming languages that are used nowadays?
 Which language is widely used and why?

23
1.3 Lesson No. 3 Servers & Browsers

 Objectives
 Introduction to Servers
 Web Browser and Web Server
 Let us sum up
 Key words
 Check your progress-questions
 Key to Check your progress
 Terminal questions

24
1.3.1 Objective

The objective of this lesson is to understand the importance of application servers

and their usage.

1.3.2 Introduction to application servers

An application server is a program that handles business logic and interacts with
a back-end database of an organization. Application server basically serves the
requests made by front-end users and handles all the business rules of a
particular application. For example Core Banking Solutions provided by a vendor
runs on an application server. Users from branches interact with the application
server through a URL if it is a web based application and through the branch
server if it is a client-server application. In a core banking application based on
the requests received from users, a database will be altered or updated at the
backend. That is, if a user from a branch enters a customer record the business
criteria will be checked by an application server and an actual update will be done
at the back-end database.

Thus, an application server is typically used for complex and heavy transaction-
based applications. To support high-end needs, an application server has to have
built-in redundancy, should be able to monitor for high-availability, should
support high-performance distributed application and support for a complex
database access. Application servers use software that help enterprises to
develop, deploy and manage large numbers of distributed applications which may
be accessed concurrently by many users.

From a developer's point of view, the central difference that an application server
brings about is the separation of business logic from the presentation logic and
the database logic. Essentially, application servers help in building true 3-tier
architecture where a database is logically separated (sometimes physically
separated too) from a business logic. An application server should handle the
following issues:

 Concurrency: Should be able to provide access to all possible production

databases
 Network connection management:
 Database connection pooling
 Legacy database support
 Provide a management console
 Should support clustering

25
  Should handle load balancing
 Should provide failover functionality
 Should support in extending a development frame of an organization and
provide better performance.
An application server can simplify a development process of business logic.
Application servers usually take care most of, if not all, the involved technical
issues and allow developers to concentrate on a project wherein the actual
business needs can be captured without any gaps. Once business requirements
are properly captured it will be easy to allocate appropriate budget for
development of the best possible application system.

1.3.3 Web browser and web server

The lesson on Computer Networks, covers more about the connectivity of

computers between a Local Area Network (LAN) and a Wide Area Network
(WAN). Web browsers and Web servers are the outcome of the connectivity of
computers spread across the globe. This super high way network or connectivity
is called World Wide Web (WWW).

The WWW connectivity has enabled us to view the documents, images, flash files
located on servers which are thousands of miles away. WWW follows the client
server model. Web browser is a client which originates the requests and web
server is the one which serves such requests.

Web browser is software which is installed along with an operating system on a

personal computer. Windows operating system has got Internet explorer as a
browser and in case of Macintosh operating system, Safari is the browser
software. Other browsers are Netscape, Mozilla and Google Chrome which can be
downloaded from the Internet. Web browser is considered as a client, which
sends requests made by a user to a Web server.

Web servers often come as part of a larger package of Internet- and intranet-
related programs. These servers are used for e-mails, for downloading files and
programs using FTP (File Transfer Protocol), building and publishing web pages.

A Web server should be selected based on the following:

 It should be flexible to work with the operating system and other servers
 It should have ability to handle server-side programming.
 It should be able to publish web pages of portal.

26
  It should have search engine capability and should include site building
tools which may come along with it.
Simply put, a Web server is a platform on which all files and documents may be
stored in a particular format as per the set protocols. The standard protocol used
by a web server is Hyper Text Transfer Protocol (HTTP). A web server handles
HTTP requests and generates HTTP responses. HTTP indicates the type of server
the World Wide Web recognizes for handling the requests from users surfing the
Internet. There are other types of servers accessed by WWW such as FTP (File
Transfer Protocol) servers, Mail servers, News servers etc.

The Internet addresses are represented in a special format called Uniform

Resource Locator or URL. Generally a URL will be in the following format:

Type: protocol name:// name or IP address/path

Type specifies the kind of server in which a file is located; Name indicates a label
of a server or its internet address; path indicates the location of a index file
located on the server.

The following examples will simplify the above explanation.

http://www.yahoo.com/news: http indicates the type of protocol supported by

the yahoo.com web server and shows news page.

http://www.google.co.in/gmail: This shows the URL of Google search engine and

points to mail directory

Since WWW recognizes the servers with protocol http, whenever a user wants to
search a site he/she can simply type for example: www.google.co.in and it would
open the main page of Google search engine.

Conceptually, a web server is a simple program. Whenever it receives a request

for a page, it just opens a particular file on a server's hard disk and sends data to
the user. In addition to actual data, it also sends some metadata (i.e. descriptions
about data). For example if it is sending an image to a user it also sends the
description about it such as e.g. "this is a GIF image. This file was created on last
Sunday and will be valid until next Sunday etc."

When a web browser opens a page, it will just ask for an html page. Once a page
is received, it will scan the html tags of hyperlinks, images, flash movies, etc. If
these items are required again a browser will call the server again. All these
requests are independent. A web server does not know that it is the same visitor
requesting for images that had asked for an html page first. If there are many

27
visitors to a site, it is more likely that successive requests may come from
different users.

The important point to keep in mind about a web server is that no details of
visitors will be remembered by it. Everything is done either by a server script, or
by a browser or by both together.

Web Server name will end with different words like .com in case of commercial
domain, .org if it is a non-profit organization, .edu If it represents educational
institution, school or university and .gov if it is a branch of a government. In
addition to these suffixes, there would be suffixes like .in, .uk, .au, .nz etc., which
represents the country to which they belong. The naming scheme by which
servers are identified is also known as the domain name system.

In a nutshell, the functions of a web browser are as under:

 Get a page from a Web Server.

 Post information to a Web Server, accepting whatever page a web server
sends in reply.
 Display an html page.
On the other side a Web Server responds to the requests of a browser as given
below:

 Respond to a GET command by loading a file from a disk, parsing it, and
sending it to a browser.
 Respond to a POST command by doing “something”, load a file from a
disk, parse it, and send it to a browser.
 Respond to a GET or a POST command by generating a page dynamically,
and returning it to a browser
1.3.4 Let’s us sum up

Apart from other servers such OS servers and Database servers, application
servers are critical in a 3 – Tier Architecture such as Core Banking Solutions
(CBS). Application servers handle entire business logic and process flow of
various business applications. These servers reside between web servers and
database servers of web enabled applications. Whenever a user requests a
particular service the request will be passed on to a web server and in turn to an
application server. Application server checks the validity of business criteria and
the request will be further forwarded to a database server which will retrieve data
and display to a user or update/modify data in a database system. Thus,

28
application servers play a vital role between a user and a central database. Web
servers are basically used to cater the requests made by users for a particular
service. Generally, the requests for a web server come from a browser for display
of a particular html page. HTML pages are displayed using a Hyper Text Transfer
Protocol. World Wide Web recognizes various services on the web such as display
of html pages, E-Mails, File Transfers, News Services, Chats, etc., to name a few.

1.3.5 Key Words

URL, WWW, HTTP, Application Server, Browser, domain,

1.3.6 Check your progress- questions

1. Which one of the following is not a web browser?

a. LINUX b. Netscape
c. Internet explorer d. Mozilla

2. Which one of the following protocols is used for file transfer?

a. FTP b. SSL
c. TCP/IP d. SST

3. FTP means ---------------

4. WWW means ----------

5. HTTP means ----------

Key to check your progress asked

1.a 2.a 3.File Transfer

Protocol
4. World Wide Web 5. Hyper Text
Transfer Protocol

1.3.7 Terminal questions

 What are the activities performed by an application server?

 What are the protocols that are used by a web server?
 What are the functions of a web server?

29
1.4 Lesson No.4 Application Software

1.4.1Objectives
1.4.2Application Software
1.4.3 Packaged Software
1.4.4 Customized Software
1.4.5 Word Processor
1.4.5.1 Features of a Word Processor
1.4.6 Spread Sheet
1.4.7 Let us sum up
1.4.8 Key words
1.4.9 Check your progress-questions
1.4.10 Key to questions asked
1.4.11 Terminal questions

30
1.4.1 Objectives

The objectives of this lesson are to understand

 The different types of application software used by organisations/banks

 The merits and demerits of the packaged software and the custom built
software
 Various types of packaged software.
1.4.2 Application software

Application software is a program or group of programs developed for usage of

end users. Application software is used for various purposes. Application
software may simply be referred to as an application that is developed to cater a
particular requirement of an organisation. Generally, it is used to achieve any one
or more of the following objectives:

 To automate the manual processes;

 To avoid duplication of work and to maintain integrity of information;
 To store and archive information in an electronic form for retrieval as per
needs of users;
 To enable the users/organizations in decision making;
 To assist in batch processes with greater efficiency and accuracy; For
Example: Interest calculations in Banks or distribution of dividend to
shareholders are done in batch processes.
 To facilitate the collaborative working not only from local office, but also
from offices spread over wide geographies and
 To manage rising business with minimum of costs, using technology in all
possible areas.
The different types of application software are:

 Application Suite: This contains multiple applications bundled together,

with related functions, features and user interfaces. Microsoft office, Lotus
notes, Star Office are the best examples.
 Enterprise Software: These softwares are used to handle diverse data,
information and processes emanating from different functions ranging
from production to distribution/marketing to accounting to Human
Resources Management performed from at different locations of
organizations. SAP, PeopleSoft, Oracle Financial used in manufacturing

31
 organizations and Core Banking Solutions used by Banks fall in this
category.
 Educational Software: Helps in providing online teaching to students and
for providing online training to the employees in organizations to enrich
the job role.
 Media Development Software: Addresses individual needs to generate and
print electronic magazines.
1.4.3 Packaged software

An application program developed for usage of general purpose is called

packaged software. Packaged software is designed to address very generic needs
of the public. These programs may be tailored to meet the user's requirements by
setting various features provided in them. However, it may be difficult to build
customized software using these softwares due to lack of source code.

Packaged softwares have following advantages:

 They are available off the shelf;

 They are also available bundled with hardware purchased. For example, In
case of laptops or desktops, an office suite for home use is provided;
 Since these products are thoroughly tested before release, the chances of
bugs or errors are minimised. In addition, bugs if found are addressed by
providing online patches to handle them;
 The cost of these softwares is less compared to the custom-built software
application softwares.
 The packaged software mostly come with standard menus and icons which
helps them to be used easily.
 Since these are general purpose packages, users can use them to suit their
requirements;
There are disadvantages with packaged softwares too:

As the packaged software is meant for general purposes their utility depends on
the requirements and creativity of the users.

For example: Despite the comprehensive functionality available in Microsoft

office products, their average utilization is less than 10%.

32
1.4.4 Customized software

The software which is developed based on the specific requirements of users are
called customized software. Software developed for usage by doctors, or the
payroll package used by a building contractor; tools used in school/college
administration are the examples for this kind of software. Customized softwares
may be developed by anyone having knowledge of the computer programming
languages such as Visual Basic, C++, Java etc. These softwares are as simple as
the softwares used to maintain electronic telephonic directory or payroll packages
and as complex as ERP packages and core banking solutions used by large
organizations and banks respectively.

Customized softwares have the following advantages:

 These softwares are developed to meet the requirements of the users. In

fact the design of a software is done based on the requirements gathered
by developers/business analysts after interacting with users/stack holders
of an organization.
 The development time of an application software solely depends on the
complexity of business rules and scope of the system to be designed and
developed. If the requirements are small the time taken is less and hence
the application may be put in use as early as possible;
 Customized software can be regularly updated since the vendor developing
the software will be in touch with the user most of the time.
However customized software have following disadvantages:

 The cost of customized software may be high in case of small scale users
who wish to have major features and functions. The small users may not
be able to afford them.
 The chances of bugs and errors may be high as these softwares are
delivered in a strict time bound manner.
 The prospects of upgrading the customized software depends on the
requirements of users as well on the financials of a vendor developer. If a
vendor developer has stopped supporting a product or closes down its
operations, the maintenance of such product by new a vendor is difficult
and at times is impossible.
1.4.5 Word Processor

Sometimes abbreviated as WP, a word processor is a software program that is

capable of creating, storing, and printing text based documents. Unlike a

33
standard typewriter, users using word processors have an ability of creating a
document and making changes anywhere in a document. Documents can also be
saved for modification at a later time or can be opened on any other computer
using the same word processor.

A word processor should not be confused with a text editor such as Microsoft
Notepad which consists of only a few editing and text creating features.

Examples of commercial word processors

 Apple iWork - Pages

 Corel WordPerfect
 Microsoft Office -> Microsoft Word
 Microsoft Works
 Sun Star Office
1.4.5.1 Features of a Word Processor

Word processing typically involves text manipulation functions which may

extend to editing of text and automatically formatting the same. Beyond these
basic functions, a word processor helps in the following:

 Mail merging: Where a common letter can be sent to multiple recipients

using an address database readily available.
 The indices of keywords and their page numbers can be set.
 Contents of table, their titles and page numbers can be formatted.
 Cross-referencing with section or page numbers can be done.
 Footnote numbering can be made
 In new versions of word processors; variables, formulas, macros can be
used to automate certain functions.
Cut, Copy, Move & Paste functions

These features are useful for editing a text document. A user can cut any part of a
text document and move it to another area in the same document or move it to a
new document. It is possible to copy part of a text or the whole text and paste it in
any other area of a document.

34
Format

The format function enables a user to set a font of a text, its size, look and feel by
making it bold or underlining it or converting it into italics.

Although early word processors used tag-based markup for document formatting,
most modern word processors take advantage of a graphical user
interface providing some form of what-you-see-is-what-you-get
(WYSIWYG) editing. The modern word processors consists of powerful programs
that can produce any arbitrary combination of images, graphics and text. They
can also handle the type-setting capability.

Almost all word processors enable users to employ styles, which are used to
automate formatting of text body, titles, subtitles, highlighted text, and so on.

Spelling and Thesaurus functions

Other word processing functions include spell check (actually checks against
wordlists), "grammar checking" (checks for what seem to be simple grammar
errors), and a "thesaurus" function (finds words with similar or opposite
meanings).

Save, Print and Mail functions

These features are useful for saving, printing a document and mailing it to any
person.

Most current word processors can calculate various statistics pertaining to a

document. These usually include:

 Character count, word count, sentence count, line count,

paragraph count, page count etc.
 Calculating length of a word, sentence and paragraph.
 They also can provide editing time of a document.
Microsoft Word is the most widely used word processing software. Microsoft
estimates that over 500,000,000 people use the Office suite, which includes MS-
Word. Word processors have a variety of usages and applications in the business
world, home, and education. In organizations the word processors are extremely
useful tools.

The typical usage of word processors in organizations include:

 For entering into agreements

35
  For writing/ sending personal letters from top executive.
 Generating routine letters related to business.
 For memos
 For printing reference documents
Businesses tend to have their own format and style for any of above. Thus,
versatile word processors with layout editing and similar capabilities find
widespread use in most businesses.

1.4.6 Spreadsheets

A spreadsheet is an interactive computer application program used in an

organization for analysis of information and organizing the same into a
tabular form. Though a user can tabulate information in the form of word,
spreadsheets are mostly useful for capturing numbers where calculations are
involved. The program operates on the data entered into the cells of an array,
organized in rows and columns. Each cell of an array can contain either numeric
or text data. The cells may also contain the results of formulas that can be
automatically calculated and a value can be displayed based on the contents of
other cells.

Spreadsheet has similar features and functions that may be found in a Word
processor. Some of the important features of a spreadsheet are as under:

Cut, Copy, Paste and Move functions.

In spreadsheet, user can cut, copy and move even the value stored in one cell or
in multiple cells.

Formatting, Save, Print and Mail

All the features available for formatting, saving, printing, mailing in a word
processor are provided in spreadsheets software as well.

A set of spreadsheets is stored as a workbook. In addition to the above features, it

is possible to use the built-in functions. The functions are of various types. Such
as: financial, mathematical, scientific, and statistical. Depending on the
requirements, users can use these functions. The most commonly used functions
in a spreadsheet are sum, average and count. Users can calculate EMI (equated
monthly installment), using EMI function, yield on investment, IRR (internal
rate of return), duration etc.

36
A user of a spreadsheet can make changes in any stored value and observe the
effects on calculated values. This makes a spreadsheet useful for "what-if"
analysis since many cases of calculation can be rapidly investigated without
tedious manual recalculation. Modern spreadsheet software has multiple
interacting sheets, and can display data either as text and numerals, or in a
graphical form.

In addition to the fundamental operations of arithmetic and mathematical

functions, modern spreadsheets provide built-in functions for common financial
and statistical operations. Calculations such as net present value or standard
deviation can be applied to a tabular data with a pre-programmed function with a
formula. Spreadsheet programs also provide conditional expressions, functions
to convert between text & numbers and that which operate on strings of text.
Spreadsheets have now replaced paper-based systems throughout the business
world. Although they were first developed for accounting or book keeping tasks,
they now are used extensively in any context where tabular lists are built, sorted,
and shared.

Lotus 1-2-3 was the leading spreadsheet when DOS was the dominant operating
system. Excel now has the largest market share on the Windows and Macintosh
platforms. A spreadsheet program is a standard tool of an office productivity
suite; since the advent of web applications, office suites now also exist in web
applications form. A modern spreadsheet file consists of
multiple worksheets (usually called by the shorter name sheets) that make up
one workbook. A cell on one sheet is capable of referencing cells on other
different sheets, whether within the same workbook or even, in some cases, in
different workbooks. However, there are almost no users of Lotus 1-2-3 now.

Spreadsheets share many principles and traits of databases, but spreadsheets and
databases are not the same. A spreadsheet is essentially just one table, whereas a
database is a collection of many tables with a relation. Spreadsheets are
often imported into databases to create tables of a database. It is true that a
workbook that contains more than one sheet is indeed a file containing multiple
tables that can interact with each other, but it lacks the relational structure of a
database.

A spreadsheet program is one of the main components of an office productivity

suite, which usually also contain a word processor, a presentation program, and
a database management system. Programs within a suite use similar commands
for similar functions. Usually sharing data between components is easier than a
non-integratable set of programs. This was particularly an advantage at a time

37
when many personal computer systems did use text-mode displays and
commands, instead of a graphical user interface.

1.4.7 Let us sum up

Application software helps user to automate the manual operations and minimize
the duplication of work. Application software can be a packaged software or
customized software. Core banking solution is a customized software and MS-
office suite consisting of word, excel and power point is a packaged software.

1.4.8 Keywords

Application Software, Packaged Software, Word Processors, Spread Sheets, Cut,

Copy, Paste, Save, Print, Mail, Mail Merge, Move, Format.

1.4.9 Check your progress -questions

1. Spreadsheets are used for –

a. Presentations b. Creating a word document

c. drawing a picture d. For automated calculations

2. In a Word document, which one of the following functions can be used to

reproduce the content and place it in another area?

a. Copy, cut, paste b. format font size and colour

c. spell check d. use built in functions such as
sum, average

3. Core Banking solution is not a packaged software. True or False

4. Customized software is error free software or has less errors as compared

to packaged software. True or False

5. Word processor is not useful for preparing business proposals, drafting

minutes and writing letters to customers and is useful for calculations
only. True or false

Key to questions asked

1 .d 2. a 3. True
4. True 5. False

38
1.4.10Terminal questions

 Which are the application softwares that are used in offices?

 Why packaged softwares are widely used?

39
1.5 Lesson No. 5: Computer Networks

1.5.1 Objectives
1.5.2 Introduction
1.5.3 Net Work Objectives
1.5.4 Types of NetWorks
1.5.5 Internet
1.5.5.1 Intranet
1.5.6 Networking Equipment
1.5.7 Let us sum up
1.5.8 Key words
1.5.9 Check your progress
Key to questions asked
1.5.10 Terminal questions

40
1.5.1 Objectives

The objectives of this lesson are to understand

 Networking that has enabled for collaborative working

 Different types of networks and
 Various components required for a computer network.
1.5.2 Introduction

Personal computers are stand-alone computers that are used by a single user at a
time. The stand-alone computers are also called as nodes. Networking has made
it possible to connect one computer with another, not only within a local area but
across geographic boundaries. Networking has enabled sharing of resources. One
can share the peripherals such as hard disks, printers, file servers etc. One can
also share the data available at the back-end of applications such as Core Banking
Solutions, ERP packages etc., used in commercial organizations.

1.5.3 Networking objectives

Networking helps in achieving the following objectives:

Resource Sharing: Data, Computer Files and peripherals can be shared using
computer networks. In a networking environment each computer is not required
to have a separate printer to be connected with. A common printer may be
sufficient to cater the printing requests of all the nodes connected in a network
and that can be shared by all users of a department. Similarly, data and
commonly used computer files can be stored on a server which can be accessed
by all the computers from a dept. or by the whole office of an organization.

Reliability: Computer Networks serves as the backup or for the purpose of

building redundancy. Even if data or a file is lost from the one machine due to
system break down or hard disc crash; the same data or file can be accessed from
a shared server where it is stored.

Cost Factor: Personal computers are cheaper in terms of cost and they can be
used with hard disc or as thin clients in a computer network instead of micro or
mini computers which are more costly.

To expedite communication: Without any geographical barrier, it is possible

to send instantaneous communications using computer networks. For example e-
mails or messages can be sent instantaneously to all those connected in a
computer network.

41
Protocols: For networking computers with one another, certain rules are to be
followed. The set of rules that govern networking locally or over a wide area are
called the Protocols. The TCP/IP is the most popularly used protocol in computer
networks today.

Transmission Control Protocol or TCP helps in dividing a file /message to

be transmitted into packets from a source computer (computer from which
message/file is to be transferred) to a destination computer. It is also used for
reassembling the received packets at the destination or recipient computer.

Internet Protocol (IP): This protocol helps to handle the address of the
destination computer so that the message or packets created using TCP protocol
are sent to a proper destination.

1.5.4 Types of networks

Stand-alone computers or Nodes that are connected to each other using TCP /IP
protocol are referred as a Computer Network. Computer Networks can subsist in
a small office and can extend across geographic boundaries and hence they vary
in size, complexity and spread. Following are the different types of networks that
are used as per the needs of organizations.

 Local Area Network ( LAN)

 Wide Area Network ( WAN)
 Virtual Local Area Network (VLAN)
 Metropolitan area Network (MAN)
 Personal Area network (PAN)
Local Area Network (LAN)

LAN is small scale network which can confine to a localized area such as an office,
shop, building or branch office of a bank. Since the spread of this kind of network
is confined to a small area or a floor of building this is called a Local area
Network (LAN).

In a branch office of a Bank, you would find a dedicated server, also known as a
File server that is used to share data, commonly used files and peripherals such
as printers etc. If the automation is in TBA (total branch automation) mode and
not using core banking, then the branch server will have the database of the
branch customers. The server will also have software such as Microsoft office or
any other software which can be shared by the branch users. Now a days, Banks

42
have been using thin clients and hence such software is placed on a shared server
and the same is commonly used.

Even with all the advances in technology, Local Area Networks (LANs) are still of
vital importance in this changing business world. Nearly all installed computer
systems in every factory, office or organization are connected to a LAN.

Characteristics of LAN

 These are the networks spread over a small area, e. g. a single building or a
cluster of buildings
 It consists of one transmission medium used for all operations within a
network
 The speed of a LAN ranges from 10Mbit to one Gigabit
 It is a peer-to-peer network, that is, any device within network can
exchange data with any other device.
 It is owned by a single organization, which is responsible for its operation.
In most of the organizations today, the topology (a pattern of connectivity of
computers) used to connect the computers is the star topology. There are other
types of topologies such as bus topology, ring topology, mesh topology, tree
topology etc...

Wide Area Network (WAN)

The computer networks spread across cities, towns, states or countries are called
Wide Area Networks (WANs). A WAN is a data communications network that
caters users across broad geographic boundaries and often uses transmission
facilities provided by common carriers of telephone companies. In Banks,
branches are connected to the Data Centers where Core Banking solution is
hosted. Connecting all branches of a bank to its Head office is done using WAN
connectivity. Branches are generally connected through leased lines provided by
Telecom Companies. A WAN can also be connected through ISDN, Satellite or
Wireless wherever applicable. The largest WAN is the Internet.

WAN Devices

Common WAN network components include WAN switches, access servers,

modems, CSU/DSUs, and ISDN Terminals.

43
WAN switches can share bandwidth as per allocated service priorities and used in
designing of a network and its management. A modem is a device that interprets
digital and analog signals, enabling data to be transmitted over voice-grade
telephone lines. At source, digital signals are converted to analog and at
destination; these analog signals are converted back to their digital form. An
access server is a concentration point for dial-in and dial-out connections.

Difference between LAN and WAN

LAN WAN

LAN are used within a radius of less They span with geographies such as
than one kilometer cities, states or countries

Speed of Data transmission is over 10 Data rate is between 128 Kbps to few
Mbps to few Giga Bits Mega Bits

Mostly confined to a single building of Owned by single organization like a

an organization bank where branches are connected or
by multiple organizations

Very low error rates High error rates in relation to LAN

Virtual LAN

"VLAN,” is a logical subgroup within a local area network that is created using
software rather than physical connectivity of cables closely. It combines user
work-stations and network devices into a single unit regardless of physical LAN
segment they are attached to and allows traffic to flow more efficiently within
populations of mutual interest.

In a Bank’s Data Centre, one would find different work groups such as:

 Testing team, say for Virtual LAN A;

44
  System Maintenance & Network team, say for Virtual LAN B;
 Help Desk Team, say for Virtual LAN C
Each of these groups may belong to a particular LAN. The software identifies the
group and enables traffic within each group irrespective of where they are located
in an office.

Metropolitan Area Network (MAN)

This network is spread over a city. Cable TV network is the best example of MAN
network.

Personal Area Network (PAN)

At home where individual devices such as printer, Tablet, Mobile and Personal
computer are interconnected with one another, such connectivity is called
Personal Area Network. This kind of connectivity is usually wireless, using a
technology called WI-FI. This facilitates transfer of pictures and data from a
mobile phone to a computer or a tablet.

1.5.5 Internet

It was conceived by the Advanced Research Projects Agency (ARPA) of the U.S.
government in 1969 and was first known as the ARPANET. The original aim was
to create a network that would allow users of a computer research team at one
university to be able to "talk to" computer research teams of other universities. A
benefit of Arpanet’s design was that, because messages could be routed or
rerouted in more than one direction, the network could continue to function even
if parts of it were destroyed in the event of a military attack or other disaster.

The Internet, also called as net, is a world wide web (WWW) of computer
networks - a network of networks in which users at any one computer can, if they
have permission, get information from any other computer (and sometimes talk
directly to users at other computers). The communication amongst these
networks is achieved through use of TCP/IP protocols which is a standard
followed for communication worldwide.

Today, the Internet is a public, cooperative, and self-sustaining facility accessible

to hundreds of millions of people worldwide. Physically, the Internet uses a
portion of the total resources of the currently existing public telecommunication
networks.

Electronic mail is the most widely used application on the Net. In view of
increased bandwidth availability, Internet is widely used for video conferencing

45
and chatting. The most widely used part of the Internet is the World Wide Web
(often abbreviated "WWW" or called "the Web"). Its outstanding feature is
hypertext, a method of instant cross-referencing. In most Web sites, certain
words or phrases appear in texts of a different color than the rest; often these
texts are also underlined. When one selects one of these words or phrases, one
can be transferred to the site or page that is relevant to the word or phrase
referred.

1.5.5.1 Intranet

This is a network that is not available to the world outside of an organisation. If

the Intranet network is connected to the Internet, the Intranet will reside behind
a firewall and, if it allows access from the outside world then it, will be referred as
an Extranet. The firewall helps to control access between the Intranet and
Internet to provide access to Intranet only to people who are members of the
same company or organization.

In every organization one can find employee portal provided for communication
amongst employees. Employees can access portal either through internet while
not in the office or through the LAN/WAN network while in the office. The
intranet has become popular means of generating ideas from employees at all
levels, resolving queries related to job profile of junior employees by the senior
ones and also for ventilating grievances, if any. The medium is also becoming
social, by allowing intranet members to share photos, details of other hobbies and
increase informal communication amongst employees.

Difference between Internet & Intranet

INTERNET INTRANET
Accessible to general public Can be accessed by limited user group
who are members of it.

No password is required Password is required for limiting its

access to the privileged users

Speed of Data transmission depends on Will be faster compared to Internet as

traffic the limited users would be accessing it.

It is a Super-network Subset of the Internet

46
1.5.6 Networking hardware or networking equipments

Networking equipments are also referred to as devices facilitating the use of

a computer network. Following are the various devices that are used for
networking purpose.

Gateways: Gateway is a networking device used for connecting dissimilar

computer networks. It establishes intelligent connection between a local network
and external network with completely different structures. In enterprises, the
gateway node often acts as a proxy server (a machine that is not actually a server
but appears as a server) and a firewall (a system designed to prevent
unauthorized access to and /or from a private network).

Routers: A router is a network device that is used to separate different segments

in a network to improve performance and reliability. It is a specialized network
device that determines a next network point to which it can forward a data packet
to a destination. A router works like a bridge but can handle different protocols.
Routers forward each packet based on their addresses and determine which
router or workstation should receive the next packet in a network. Based on a
network roadmap called routing table, routers can help to ensure that packets
traveling through the most efficient paths, reach their destinations. If a link
between two routers fails, the source router will determine an alternate route to
keep network traffic moving.

Bridges: A bridge is a network device that establishes an intelligent connection

between two local networks with the same standard but with different type of
cables. Bridge mainly does the function of preventing the packets from passing to
a device to which it is not meant for.

Switches: A switch is a device that is used to group or segment networks into

different sub-networks called subnets or LAN segments. It enables transmission
of data from one LAN to another LAN.

Repeaters: A repeater is a device that amplifies a signal being transmitted on a

network. It is useful in a long distance transmissions. It helps in maintaining
signals at same level till they reach a destination after transmission from a
source. Over a long distance, normally signals degrade in their strength and it is
likely that they may fail to reach a destination. Repeaters installed along the way
of a computer networks help in ensuring that data packets reach a destination
without fail. Repeaters are of two types: Amplifier and Signal Repeaters.
Amplifier repeater only amplifies (increases the strength) all incoming signals
over the network. But it also amplifies the noises received along with a signal as

47
well. Signal Repeater collects the inbound packet and retransmits them as if it
were originated from a source station.

1.5.7 Let’s us sum up

Interconnection of more than two computers with a common media is called a

computer network. There are numerous advantages of computer networks such
as sharing computer resources, sharing printers etc. There are various types of
networks such as LAN, WAN, MAN, VLAN, PAN etc. The Internet is network of
networks and a super-highway of information. There are various networking
equipments used in computer networks such as Gateways, Routers, Switches,
Bridges and Repeaters etc.

1.5.8 Keywords

Computer Network, LAN, WAN, MAN, VLAN, PAN, Internet, Intranet,

Networking Equipments, Gateways, Routers, Switches, Bridges and Repeaters,
Modem Access Server

1.5.9 Check your progress- Questions

1. Fill in the Blanks:

1. LAN means -------------------

2. WAN means ----------------

3. TCP /IP stands for ---------------

Multiple choice questions

4. Firewall is used for the purpose of----:

a) Protecting computers from fire

b) Creating a wall between two user

c) Protecting a component in a network

d) Guarding servers and nodes from unauthorized attacks

5. Hacking is--:

a) Legitimate means of accessing any network

b) Entering into another network without appropriate rights

c) A tool used for routing a message in a network

48
d) A component useful in a WAN

Key to questions asked:

1. Local Area Network

2. Wide Area Network

3. Transmission Control Protocol/Internet Protocol

4–d

5–b

1.5.10 Terminal questions

 What do you know about LAN and WAN? What is the difference between
the two?
 When can you use Intranet? How it is different from internet?
 What are the components required for setting-up a wide area network?

49
1.6 Lesson No. – 6 Data Base Management

1.6.1 Objectives
1.6.2 Introduction
1.6.3 Advantages of Data Base Management System
1.6.4 Data Models
1.6.5 Structure of Relational Data
1.6.6 User Management
1.6.6.1 File management
1 6.7 Structured Query Language
1.6.8 Let us sum up
1.6.9 Key words
1.6.10 Check your progress-questions
Key to questions asked
1.6.11 Terminal questions

50
1.6.1 Objectives

The objectives of this lesson are to understand

 Database Management Systems(DBMS)

 Different types of data stored in a DBMS
 Use of Structured Query Language(SQL) for data manipulation
1.6.2 Introduction

A database is a logically coherent collection of data with some inherent meaning,

representing some aspect of real world and which is designed, built and
populated for a specific purpose. It is a collection of programs that enables user
to create and maintain a database. In other words it is general-purpose software
that provides users with the processes of defining, constructing and manipulating
a database for various applications.

1.6.3 Advantages of DBMS

Redundancy is controlled. Redundancy means unwanted data duplication.

Since Data is organized systematically as per needs of an organization, DBMS
helps in minimizing duplication of data. In case of Banks, once customer
information is saved in a customer master, the same is used for various purposes.
User need not key in same information again and again.

Unauthorized access is restricted. Access to the database is allowed only to

the authorized users for whom login Id and passwords are given.

Providing multiple user interfaces. The database can be used for various
purposes. The information of a particular customer can be used for a savings
account opening, for opening of fixed deposits, for mailing the details of
accounts, as well as to forward product information of bank. For AML/KYC
purpose too, the same data can be used and there is no need to key-in customer
data every time a customer opts for a new service or product from a bank.
Customer can access same database through Internet banking for carrying
transactions in his/her accounts.

Enforcing integrity constraints. The DBMS enables to ensure the

consistency of the database. There would be no mismatches in the information
about the same customer when accessed from different interfaces. The balances
are updated whenever transaction is done in an account from any delivery
channel.

51
Providing backup and recovery. The backup of data is maintained in various
ways. Organizations can take backup of data on a hard disc, DVD as well as on a
tape media. The backup is also taken by log shipping of the data at a Disaster
Recovery Centre using leased line connectivity. This enables banks, where
mission critical application like Core banking is deployed to switch over to a
Disaster Recovery Centre in case there is a Disaster, like bomb explosion, flood
etc. The backup taken on a tape or DVD can also be restored using restore utility
of a database.

There are three levels of abstraction in a database:

Physical level: The lowest level of abstraction describes how data are stored.
The storage details, space files created, location of data resides at physical level.

Logical level: The next higher level of abstraction, describes what data is stored
in a database and what relationship exists among those data. Relationship of a
data in one table to another table in a database, describes the type of data stored
in different fields such as: text, number, date, logical value etc.

In a Bank, if transaction table is created, there would be following information in

the table.

Fieldname Data type Description of the field

Brcode Numeric Branch Code
Entry date Date Date on which transaction entered in
system
Postdate Date Date on which transaction is posted in the
account
Amount Numeric Double Amount of the transaction up to two
decimals
DrCr Text Type of transaction
Particulars Text Narration of the transaction

View level: The highest level of abstraction describes only part of a database.
This is a view as per requirements of a user. In case of a bank user, information
about balance in an account or transaction details for a given period or account
master details are shown at view level. The view is thus a subset of a database
retrieved as per requirements of a user.

52
1.6.4 Data models

There are three types of data models used for Database management.

Relational Data model: In this model, the data is organized into tables
consisting of rows and columns. Rows are also called tuples. Columns are called
attributes. There cannot be more than one column in a table carrying same data.
Each column will have a distinct name. The data in the respective column would
be of uniform type. In the date column only dates in specified form would be
stored. In numeric column you will not find transaction narrations stored. Only
numeric values up to prescribed decimals would be stored. Name of a customer
in a customer master would be in one column. These tables are called relations. A
row in a table represents a relationship among a set of values. Table is a collection
of such relationships. There would be following operations on such table by a
user.

 Inserting a row in a table;

 Deleting a row from a table;
 Modifying certain values in a row;
 Updating a column in a table, etc.
 Viewing a row or collection of rows from a table should satisfy defined
criteria. E.g. Transactions in an account of a particular customer for a
given period should match with his/her actual transactions done with a
bank.
The Network Data Model: In the network model, data is represented by
collection of records and relationships among data which are represented by an
association. The association among the data is also called links. The collection of
records is connected to one another by means of links. A record is collection of
fields (attributes), each of which may contain only one data value.

The Hierarchical Data Model: Similar to Network Model, in this model too,
data is represented by collection of records and relationship among data. The
only difference is that in the hierarchical model, records are organized as trees
rather than arbitrary graphs. Here the relationships among its records are
maintained as parent child relationship.

Structure of Relational Database

Each row in a table of a database will have distinct values. To ensure and
maintain the distinctness, one or more attributes (columns) will have unique
values in a row. Such attribute is called primary key of a relation (row or tuple).

53
For example: In a customer table, say Custno will be a primary key. It means if a
customer A has Custno 1, then no other customer will have same cust no in the
Customer table. In a transaction table of branch one can find the columns such as
postdate, branch code, transaction no used to create a primary key.

In every table of database, more than one column may be used to create a
primary key. For example: in a Customer table, custno or customer name can be
primary key. But when custno is defined as Primary key, customer name may be
treated as an alternate key or a candidate key. Similarly, if a column in a table has
a value which is a primary key in another table, that column is called foreign key.
For example: In an accounts table, where account no. and other details are
maintained, if custno is one column it would be foreign key for account master
table.

1.6.5 User management

DBMS provides access to data to authorized users only. As covered above, there
are three levels at which a database is maintained. It is obvious that for this
purpose, we need to have access to different types of users. For a Database, there
can be a Database Administrator (DBA) who would access data for ensuring
continued performance of DBMS. The administrator will have to carry out the
maintenance work such as rebuilding indices after large no. of inserts or gather
statistics which will help DBMS to retrieve the requested data speedily. DBA also
can keep track of the logs written by DBMS. Users would access data either
through an application or using SQL queries. The access rights therefore will have
to be given to them by defining the appropriate roles and assigning the privileges
to the roles which should match with needs of end users.

1.6.5.1 File management system

As against structured system of maintaining information in a Database by using

DBMS, data or information is also stored in different files. Files can be of various
types: Word file where details of a word document are stored, Excel files where
worksheets showing detailed calculations is maintained, image file where images
are stored etc. In a file management, data is not stored in a structured format. It
would therefore be difficult for many users who wish to access the data, to use the
same.

Storing data in file management systems is therefore useful when business

proposals are prepared by Banks and Financial Institutions. The business
proposal is prepared in word files and the same is stored in a file management
system automatically. In Excel too, working involving financial calculations is
stored in a file management system. The other examples of file management

54
system are: Tutorials/Lessons stored in an electronic form. History of judgments
is generally stored in word files.

1.6.6 Structured query language (SQL)

For accessing a database the structured criteria or queries have to be created and
executed, the same connecting to a particular database. Based on the criteria or
conditions used, an output would be generated from a database. For running
these kind of queries, a computer language called Structured Query Language
(SQL) is used. SQL is a simple query language used for accessing, handling and
managing data in relational databases.

SQL’s original version was developed by IBM and was called a “sequel”. The
language has evolved since then. In 1986, American National Standards Institute
published SQL standards, which have since been updated in 1992 & 2008.

SQL has following processing capabilities:

 Data Definition Language (DDL): It provides commands for defining

relation schemes, deleting relations, creating indices.
 Data Manipulation Language (DML): It provides commands to
insert delete and modify rows in a table.
 View Definition enables to define views.
Authorization provides access mechanism to views and tables of a database. The
query is a statement or command given to a database. In a statement/command
one can find keywords which are used. These keywords have special meaning.
SQL commands have one or more logical parts which are called as clauses.

Following example will provide a syntax of a SQL query:

SELECT custno, custname FROM customer WHERE custno = 1;

In the above statement, “SELECT”, “FROM” and “WHERE” are the key words.
While “FROM” represents one argument, “WHERE” represents another
argument.

1.6.7 Let’s us sum up

A Database is coherent collection of data with some meaning. There are various
advantages of Database Management Systems. DBMS facilitates care of
redundancy of data, handle concurrency of data, and provide high availability of
data. There are various levels of abstraction maintained in a data base such as
Physical level, Logical Level and View Level etc. Databases can be in various

55
models viz., Relational, Hierarchical and Network Model. Data can also be
managed by file management systems. To retrieve data from a database, a
Structured Query Language is used which contains various capabilities such as
Data Manipulation, Data Definition and Data Control.

1.6.8 Key words

Database, DBMS, Abstraction, Data Models, SQL, DDL, DML, Privileges,

Authorization

1.6.9 Check your progress-questions

1. SQL means -------------------------

2. DBMS means -------------------------

3. Types of Data models are ---------------, ------------ and --------------

4. Data in DBMS is logically organized in the form of----------

a. Files b. Tables
c. Images d. Video

5. Data manipulation language is not meant for which one of the following?

a. Insert b. tables
c. Modify d. Store data in files

Key to questions asked

1. Structured Query 2. Database 3. Relational,

Language Management System Network and
Hierarchical Models
4. b 5. d

1.6.10Terminal questions

 What are the advantages of a DBMS system?

 How would you differentiate a File management system from a DBMS
system?
 What are the different languages used for data management?

56
1.7 Lesson No. –7 Data Communication

1.7.1 Objectives
1.7.2 Leased Lines
1.7.3 Advantages/Disadvantages of Leased Lines
1.7.4 MPLS
1.7.5 Virtual Private Net Work
1.7.6 Satellites
1.7.6.1 Uses of Communication Satellites
1.7.7 Wi-Fi
1.7.8 Wi-Max
1.7.9 Let us sum up
1.7.10 Key words
1.7.11 Check your progress- questions
Key to questions asked
1.7.12 Terminal questions

57
1.7.1 Objectives

The objectives of this lesson are to understand

 The different types of communications available in the market place

 The numerous ways of providing connectivity to servers and nodes located
at different offices of an organization or a bank.
1.7.2 Leased lines

Leased lines are dedicated circuits provided by Basic Service Providers (BSPs),
which help in uninterrupted connectivity to the Internet. It is a type of
telecommunication line connecting two distant places. Leased lines provide the
last mile access from user premises to an Internet Service Provider (ISP). They
provide permanent connection as compared to a temporary connectivity via
dialup access. The quality of connection is far superior to what is normally
available through dialup.

Usually, these lines are used by companies to connect geographically far-away

offices, particularly organizations with large user groups, including corporates,
banks and financial institutions, educational and R&D organizations,
government, military etc. They can also be referred as a dedicated data lines or a
private lines. Though these lines are set up and maintained by telecom
companies, they can't be referred as telephone lines.

Organizations can have a leased line connectivity starting from 64 Kbps. It is

possible to scale it in multiples of E1 (2 MBPS) pipes, providing a bandwidth
consistent with the needs of the organizations. Unlike normal dial-up
connections, a leased line connection is always active and information sent
through this travels along dedicated secure channels, reducing the blockage that
occurs in shared networks. In branches of a bank, one can use 64 Kbps
bandwidth and in large sized branches, bandwidth of 256 kbps or 512 kbps is
adequate for smooth operations. The bandwidth depends on the quantity of data
used and number of users using the connectivity of a line and the number of
applications running simultaneously. In a Bank, large sized branches would
require more bandwidth and for small branches less bandwidth may be sufficient.

In leased line connectivity the access is "always on" and it is possible to associate
a pool of permanent IP addresses with a particular leased line. Normally, the ISP
would provide 16/32 IP addresses for each 64 Kbps chunk of bandwidth. Using
these IP addresses it becomes possible to deploy a variety of services such as
mail, DNS, WWW and proxy which are the most common requirements of
organizations. In other words, leased lines enable providing services of all types,

58
and offer a platform for enterprise intranets and extranets, apart from what we
may term as "entry level" services such as messaging, which still account for over
70 percent of all Internet access.

There are two types of equipment’s which are required for leased line
connectivity. The first set of hardware required is, for establishing a last mile link
between a customer premises and an ISP. Currently, 64 Kbps and 2 Mbps
modems are commonly deployed for leased line access to the Net. Depending on
the bandwidth, there are some technical differences between modems as well.
The leased line modems may be provided either by the ISP or the customer can
buy it himself.

The other set of equipment required is at the customer premises. This includes a
router and various servers as needed at specific sites. Customer side router
establishes a link with an ISP. Typically, users need to consider services like DNS,
mail, proxy, firewall, FTP, databases, file servers, and security services which can
be set up on availability of connectivity.

Applications of leased lines

Point-to-point: For Data Only

One of the widely used applications of leased lines is, having a secure dedicated
data circuit between two locations via a private line and can used to transmit data
at a constant speed equal to bandwidth of a circuit.

Point-to-point: For Voice and Data

This kind of application allows transmission of voice and data over same
connection. Here also two separate locations are joined together. This type of
configuration is commonly provided on a higher bandwidth circuit. Bandwidth of
a circuit is divided into individual voice channels and data channels.

59
Multiplexing

Multiplexing basically connects multiple remote sites to a single centralized

location. Typically a connection originating from a host location is connected into
a multiplexer at a service provider's end. At multiplexer end, a host circuit is split
into smaller individual circuits, and these circuits are then delivered to remote
sites.

1.7.3 Advantages/disadvantages of leased lines

Advantages

 It provides permanent, reliable, high-speed connectivity as compared to a

temporary connectivity of a dial up access.
 The quality of connection is far superior to what is normally available
through a dialup, due to digital signaling. They are noise free, fewer
exchanges etc.
 Leased lines are an ideal solution for businesses that require continuous
communication throughout a day.
 A leased line has the ability to connect separate offices and buildings so
that they can share data and other IT resources.
 Another benefit of leased lines is that they can be used to connect directly
to the Internet or just to a network of various offices an organization.
Disadvantages

 Leased Line bandwidth prices are high, compared to dialup bandwidth of

equal size.
 Entry level annual port prices are also high at present. Hence these lines
are only viable beyond a particular threshold level.
 Permanent connectivity to the Net exposes the organization to a variety of
threats including hacking, malicious code including active vandals,
viruses, Trojan Horses, macros, denial of service attacks etc.
1.7.4 Multi-Protocol Label Switching (MPLS)

MPLS is a packet-forwarding technology which uses labels to make data

forwarding decisions. With MPLS, Layer 3 header analysis is done just once.
(when the packet enters the MPLS domain). Label inspection drives subsequent
packet forwarding. MPLS provides following benefits:

 Virtual Private Networking (VPN)

60
  Traffic Engineering (TE)
 Quality of Service (QoS)
 Any Transport over MPLS (AToM)
Additionally, it decreases the forwarding overhead on core routers. MPLS
technologies are applicable to any network layers.

MPLS is a technology used to speed up the flow of traffic on a network so that it

becomes easier to manage. To achieve this kind of traffic management, a specific
path is set up for a particular sequence of packets with a label in each packet for
identification purposes. The overall result is that the time a router would have
taken to look for a next node’s address is saved (node is where a packet is
forwarded to). MPLS technology works with multiple network protocols
including frame relay, Asynchronous Transport Mode (ATM) and Internet
Protocol.

The major difference between leased line and MPLS is that in a leased line, the
sites (branch) are connected to each other through a line provided by a service
provider; the connectivity is a private network of communication between two
sites. In an MPLS network, each site is connected to a service provider’s network
with a single link so that any packet from a branch location to the network is
given an MPLS label for identification and routed through a network. With
MPLS, it is possible to define the traffic path in a network as well as the
performance characteristics for different forms of traffic like voice, video or data.
In addition, an MPLS network can actually carry all sorts of packets by using the
same infrastructure simply because packets coming in are assigned protocol
independent labels for transmission to a network. This makes MPLS the
preferred technology to be used in businesses.

1.7.5 Virtual Private Networks (VPN)

VPN is a shared network where private data is segmented from other traffic so
that only an authorized user has an access. The term VPN was originally used to
describe a secure connection over the Internet. Today, however, VPN is also used
to describe private networks, such as Frame Relay, Asynchronous Transfer Mode
(ATM), and Multi-Protocol Label Switching (MPLS). A key aspect of data security
is that data flowing across a network is protected by encryption technologies.
Private networks lack data security, which may allow data attackers to tap
directly into a network and read data. IPSec-based VPNs use encryption to
provide data security, which increases network’s resistance against data
tampering or theft. IPSec-based VPNs can be created over any type of IP network,

61
including the Internet, Frame Relay, ATM, and MPLS, but only the Internet is
ubiquitous and inexpensive.

VPNs are traditionally used for the following:

Intranets: Intranets connect an organization’s locations. These locations range

from Head Offices, to branch offices, to an employee’s home located in a remote
place. Often this connectivity is used for e-mails and for sharing applications and
files.

Remote Access: Remote access enables telecommuters and mobile workers to

access e-mails and business applications. A dial-up connection to an
organization’s modem pool is one method of access which may be used by remote
workers, but it is expensive because an organization must pay the associated long
distance telephone and service costs. Remote access VPNs greatly reduce
expenses by enabling mobile workers to dial a local Internet connection and then
set up a secure IPSec-based VPN communications to their organization.

Extranets: Extranets are secure connections between two or more

organizations. Common uses of extranets include supply-chain management,
development partnerships, and subscription services.

IPSec: IPSec is an Internet Engineering Task Force (IETF) standard suite of

protocols that provides data authentication, integrity, and confidentiality as data
is transferred between communication points across IP networks. IPSec provides
data security at IP packet level. A packet is a data bundle that is organized for
transmission across a network, and it includes a header and payload (the data in
the packet). IPSec emerged as a viable network security standard because
enterprises wanted to ensure that data could be securely transmitted over the
Internet. IPSec protects against possible security exposures by safeguarding data
while in transit.

IPSEC provides the following security features when transmitting packets across
networks:

 Authentication: Verifies that a packet received is actually from a

claimed sender.
 Integrity: Ensures that the contents of a packet did not change in transit.
 Confidentiality: Conceals content through an encryption.
1.7.6 Satellites

Satellites are able to fulfill a number of roles. One of the major roles is they are
used for communications. Communication satellites are established over large

62
distances - well beyond the line of sight. Communications satellites may be used
for many applications including relaying telephone calls, providing
communications to remote areas of across the Globe, providing communications
to ships, aircrafts and other mobile vehicles.

1.7.6.1 Uses of communications satellites

Telecommunications: Satellite systems have been able to provide data

communications links over large distances. They were often used in place of
intercontinental submarine cables which were expensive and unreliable in their
early days. Nowadays cable technology has significantly improved to provide
much higher levels of capacity especially as a result of fiber optic technology due
to improvement in their reliability. As a result satellites are less frequently used
to replace terrestrial cables.

Satellite phones: The concept of using a mobile phone from anywhere across
the globe is the one that has many applications. Although the terrestrial cellular
network is widely available, there are still many areas where coverage is not
available. In these cases satellite phones are of great use. For an example, satellite
phones are widely used by emergency services in remote areas, even in countries
that might have a good cellular network. They may also be of use for
communications in rural areas where no cellular coverage is available. They are
also useful at sea, in developing countries, or in uninhabited areas of the globe.

Direct broadcast: While terrestrial broadcasting is well established it has a

number of limitations: namely the coverage, especially in hilly areas where the
hills may obstruct the signals from receivers, and also the bandwidth.

Advantages

Flexibility: Satellite systems are able to provide communications in a variety of

ways without the need to install any fixed assets.

Mobility: Satellite communications are able to reach all areas of the globe.
Depending on the type of satellite system in use, the ground stations need not to
be in any one given location. For this reason, many ships use satellite
communications.

Speedy deployment: Deployment of a satellite communications system can be

very speedy. No ground infrastructure may be required as terrestrial lines, or
wireless base stations are not needed. Therefore, for remote areas, satellite
communications systems provide an ideal solution.

63
Provides coverage over the globe: Depending on the type of satellite
communications system, and the orbits used, it is possible to provide complete
global coverage. As a result, satellite communications systems are suited for
providing communications capabilities in many remote areas where other
technologies would not be viable.

Disadvantages

Cost: Satellites are not cheap to build, place in orbit and then maintain. This
means that the operational costs are high, and therefore the cost of renting or
buying space on a satellite will also not be cheap.

Propagation delay: As distances are very much greater than those involved
with terrestrial systems, propagation delay can be an issue, especially for
satellites using geostationary orbits. Here, the round trip from the ground to a
satellite and back can take a time of a quarter of a second.

Specialized satellite terminals required: Even though an operator

maintains all the required infrastructure, the user will still need a specialized
terminal that will communicate with a satellite. This is likely to be costly, and the
services may be offered by a few vendors only.

1.7.7 Wi-Fi

If you've been in an airport, coffee shop, library or hotel recently, chances are that
you've been right in the middle of a wireless network. Many people also use
wireless networking, also called Wi-Fi or 802.11 networking, to connect their
computers at home. Some cities are trying to use the technology to provide free or
low-cost Internet access to residents. In the near future, wireless networking may
become so widespread that one can access the Internet just about anywhere at
any time, without using wires.

A wireless network uses radio waves, just like cell phones, televisions and radios
do. In fact, communication across a wireless network is a lot like two-way walky-
talky radio communication.

Mechanism of Wi-Fi

A computer's wireless adapter translates data into a radio signal and transmits it
using an antenna.

 A wireless router receives the signal and decodes it. The router sends the
information to the Internet using a physical, wired Ethernet connection.

64
  The process also works in reverse, with the router receiving information
from the Internet, translating it into a radio signal and sending it to the
computer's wireless adapter.
 The radios used for Wi-Fi communication are very similar to the radios
used for walky-talky, cell phones and other devices. They can transmit and
receive radio waves, and they can convert ‘1’s and ‘0’s into radio waves and
convert the radio waves back into ‘1’s and ‘0’s.
But Wi-Fi radios have a few notable differences from other radios.

They transmit at frequencies of 2.4 GHz to 5 GHz. This frequency is considerably

higher than the frequencies used for cell phones, walky-talky and televisions.
Higher frequency allows a signal to carry more data.

1.7.8 WiMAX

WiMAX is very similar to Wi-Fi with some basic differences. WiMAX is mobile
and it serves a greater number of users. WiMAX is designed to offer higher
security and greater quality of service than other mobile broadband technologies.
All of this is provided without any wires or landline connections. As the Internet
needs grow, the related services also grow. Multiple Users→ Multiple Devices→
Multiple locations. A WiMAX system consists of two basic components: a
WiMAX tower and a WiMAX receiver. A receiver can be any WiMAX-enabled
device: a home modem, a connection card, or a laptop with an embedded chip
that receives a signal the way the Wi-Fi does today.

WiMAX Wireless Services: WiMAX provides two forms of wireless services,

mobile and fixed. Mobile WiMAX uses the 802.16e standard: This is similar to
Wi-Fi in that one can connect to a WiMAX tower using a small antenna attached
to or built into the device. In this mode WiMAX will use a frequency range which
is similar to Wi-Fi. WiMAX transmissions are not as easily disrupted by physical
obstructions and are able to bend better around obstacles. Fixed WiMAX uses the
802.16d standard: This is where one will have a fixed antenna sitting in a home
or office pointing towards a WiMAX tower. The line of sight connection will be
stronger and more stable than a non line of sight.

1.7.9 Let us sum up

Leased lines are dedicated circuits provided by Basic Service Providers (BSPs),
which help in uninterrupted connectivity to the Internet. It is a type of
telecommunication line connecting two distant places. Components required at
user end for lease line connectivity are - Modem, switch and router. MPLS is a
packet-forwarding technology which uses labels to make data forwarding

65
decisions. MPLS technology works with different protocols such as frame relay,
asynchronous Transport Mode (ATM) and Internet Protocol. Different uses of
satellite are telecommunication, satellite phones and direct broadcast. VPN is a
shared network where private data is segmented from other traffic so that only an
authorized user has an access. Many people also use wireless networking, also
called Wi-Fi or 802.11 networking, to connect their computers at home. A
computer's wireless adapter translates data into a radio signal and transmits it
using an antenna. WiMAX is mobile and it serves a greater number of users.
WiMAX is designed to offer higher security and greater quality of service than
other mobile broadband technologies.

1.7.10 Keywords

Leased lines, Internet, Intranet, Multiplexing, MPLS, Extranet, IPSec, Satellites,

Wi-Fi, and WiMAX

1.7.11 Check your progress Questions

1. MPLS means ----------

2. VPN means ----------

3. Leased line connectivity is required in case of ------- network

4. MPLS is not providing which one of the following benefits:

a. Virtual Private Networking b. Traffic Engineering

c. Monitoring of the network d. Any Transport over MPLS
(AToM)

5. Virtual Private Network is not used in one of the following cases

a. Intranet b. Extranet
c. Internet d. IPSecs

Key to questions asked

1. Multi-Protocol 2. Virtual Private 3. WAN ( Wide Area

Lease Line service Network Network)
4. c 5. c

66
1.7.12 Terminal questions

 What are the advantages of leased line connectivity for commercial

organizations?
 How would you differentiate between Wi-Fi and Wi-Max?

67
1.8 Lesson No. 8 Important Terminology

1.8.1 Objectives
1.8.2 Indian Financial Network
1.8.3 National Financial Switch
1.8.4 Data Warehousing
1.8.5 Data Mining
1.8.6 Visa/Master Card
1.8.7 IP Address
1.8.8 Routing
1.8.9 Public Key Cryptography
1.8.10 Let us sum up
1.8.11 Keywords
1.8.12 Check your progress
Key to questions asked
1.8.13 Terminal questions

68
1.8.1 Objectives

The objective of this lesson is to understand various terminologies that are

commonly used in Banks operating in India.

1.8.2 Indian Financial Network

Institute for Development and Research in Banking & Technology

(IDRBT) based in Hyderabad, started INFINET. The Indian Financial Network
[INFINET] is the communication backbone for the Indian Banking and Financial
sector. All banks in the public/private sector, cooperatives, etc., and the premier
financial institutions in the country are eligible to become members of INFINET.
It is a closed user group network for the exclusive use of member banks and
financial institutions and is the communication backbone for the National
Payments System, which caters mainly to inter-bank applications like RTGS,
Delivery Vs Payment, Government Transactions, Automatic Clearing House, etc.

National Payment Corporation of India

National Payments Corporation of India (NPCI), an umbrella organisation for

operating retail payments and settlement systems in India, is an initiative of
Reserve Bank of India (RBI) and Indian Banks’ Association (IBA) under the
provisions of the Payment and Settlement Systems Act, 2007, for creating a
robust Payment & Settlement Infrastructure in India.

Considering the utility nature of the objects of NPCI, it has been incorporated as
a “Not for Profit” Company under the provisions of Section 25 of Companies Act
1956 (now Section 8 of Companies Act 2013), with an intention to provide
infrastructure to the entire Banking system in India for physical as well as
electronic payment and settlement systems. The Company is focused on bringing
innovations in the retail payment systems through the use of technology for
achieving greater efficiency in operations and widening the reach of payment
systems.

The ten core promoter banks are State Bank of India, Punjab National Bank,
Canara Bank, Bank of Baroda, Union Bank of India, Bank of India, ICICI Bank,
HDFC Bank, Citibank N. A. and HSBC. In 2016 the shareholding was broad-
based to 56 member banks to include more banks representing all sectors.

NPCI, during its journey in the last seven years, has made a significant impact on
the retail payment systems in the country. Dedicated to the nation by our former
President, Shri Pranab Mukherjee, endorsed by the Hon’ble Prime Minister, Shri
Narendra Modi and later made the card of choice for the ambitious Pradhan
Mantri Jan Dhan Yojana, RuPay is now a known name. With Immediate
Payment Service (IMPS), India has become the leading country in the world in

69
real time payments in retail sector. Needless to mention, National Financial
Switch (NFS) and Cheque Truncation System (CTS) continues to be the
flagship products of NPCI. Unified Payments Interface (UPI) has been termed as
the revolutionary product in payment system and Bharat Bill Payment System
(BBPS) has also been launched in pilot mode. The other products include RuPay
Credit Card, National Common Mobility Card (NCMC) and National Electronic
Toll Collection (NETC). With these products the aim is to transform India into a
‘less-cash’ society by touching every Indian with one or other payment
services. With each passing year we are moving towards our vision to be the
best payments network globally.

1.8.3 National Financial Switch (NFS)

NFS comprises a National Switch to facilitate inter-connectivity between Banks'

Switches, and Inter-Bank Payment Gateway for authentication & routing
payment details of various E-commerce transactions, e-government activities,
etc. The Institute of Development and Research in Banking Technology (IDRBT),
Hyderabad had been providing ATM switching services to banks in India through
National Financial Switch. Reserve Bank of India has granted authorization to
National Payment Corporation of India (NPCI) to take over the operations of
National Financial Switch (NFS) from IDRBT on ‘as is where basis’ with effect
from October 15, 2009. NPCI has taken over NFS operations from December 14,
2009. While the primary site of NPCI is located in the IDRBT Campus at
Hyderabad, the backup site is being developed at Mumbai. NPCI is committed to
operate the National Financial Switch on a 24x7 basis with a near zero downtime
and zero tolerance to data loss. All the member banks are connected to NFS using
IDRBT’s data communication network known as INFINET.

The National Financial Switch provides connectivity directly to individual bank's

switch or through their shared ATM Network Switches. It is a win-win situation
for all banks and more importantly, for customers.

The Clearing Corporation of India Limited (CCIL) is the clearing and settlement
agency for the switch, which also facilitates the NFS Disaster Recovery Site from
its premises at Mumbai. An NFS User Group has been set up to deliberate various
issues related with the procedures, fee, etc. and a Steering Committee consisting
of the banks' top management resolves various issues related to the National
Financial Switch and policies from time to time.

1.8.4 Data Warehouse

Bill Inman defined Data warehouse as a subject-oriented, integrated, time-

variant and non-volatile collection of data in support of management's decision
making process.

70
Subject-oriented Data Warehouse gives information about a particular subject or
topic or entity e.g. Customer, Supplier, Location.

Integrated Data Warehouse is a collection of data from a variety of sources and

merged into a single database. Time-Variant Data Warehouse is identified with a
particular time period.

Non-Volatile Data Warehouse is where data is added but never removed. This
enables management to gain a consistent picture of a business over a particular
time period.

Simply put, a data warehouse is a collection of data extracted from an operational

or a transactional system of a business and it is transformed after cleaning
inconsistencies and can be used for rapid reporting and analysis. It is a database
designed to support decision making in an organization. Data from production
databases (Core Banking Database) is selectively copied to a data warehouse so
that queries can be performed without disturbing the performance or the stability
of production systems. Data warehouses can be huge in terms of database that
they hold. For convenience and ease, subsets of data warehouse are created,
which are called as Data Marts. In a Bank, one can see the Data marts for
deposits, advances, investments, delivery channels etc.

1.8.5 Data mining in business

Data mining is a technique used to find new trends and patterns of behavior that
previously went unnoticed. This trend and or behaviour is a base and can be used
in a predictive manner for a different applications. Data mining can be done for
various purposes in banks.

Following are the reasons why Data Mining is done:

 For understanding the tastes and preferences of customers based on

which new products are launched or the existing products are amended to
suit the customers’ tests and preferences;
 For monitoring suspicious transactions such as anti-money laundering;
 For identifying the cases where customers have silently stopped using the
services of the Bank;
 For identifying the paying and non-paying accounts;
 For monitoring the end use of funds and for monitoring the accounts
where health is deteriorating and are under nursing program of the Bank;

71
The first step toward building a productive data mining plan is, of course, to
gather data. The key here is to locate the data critical to the business, refine it and
prepare for data mining process.

1.8.6 VISA & MasterCard

MasterCard and Visa are independent, competing card associations, comprised of

more than 20,000 member banks. The card associations offer products on both
the cardholder-issuing and merchant-acquiring sides of the business to facilitate
a complete system of electronic currency. Cards are issued to consumers with
credit spending limits, revolving interest rates and fees. Merchants are set up to
accept and deposit credit card sales through member acquiring banks. The
association's role is primarily branding and marketing, governing and enforcing
the rules and regulations, and managing and setting interchange pricing.

 A member bank may be both a card-issuing and merchant-acquiring

institution.
 The card associations have rules and regulations governing how industry
risk is handled.
 Merchant interchange fees are paid from the acquiring bank to the issuing
bank.
 Issuing banks market a variety of card products including: Classic, Gold or
Platinum cards, commercial, business, corporate, fleet, or purchasing
cards, and check cards.
 Interchange fees vary depending on the type of card product and how it
was accepted. Higher rates for instance are associated with manually-
keyed transactions and business card transactions.

72
VISA

Visa Inc. is an American multinational financial services corporation

headquartered at 595 Market Street, Financial District, in San
Francisco, California, United States, although much of the company's staff is
based in Foster City, California.

Visa is a global payments technology company that connects consumers,

businesses, banks and governments in more than 200 countries and territories,
enabling them to use digital currency instead of cash and checks. Visa has built
one of the world’s most advanced processing networks. It’s capable of handling
more than 20,000 transactions per second, with reliability, convenience and
security, including fraud protection for consumers and guaranteed payment for
merchants. Visa does not issue cards, extend credit or set rates and fees for
consumers. Visa’s innovations, however, enable its bank customers to offer
consumers more choices: Pay now with debit, ahead of time with prepaid or later
with credit products.

In 2008, according to The Neilson Report, Visa held a 38.3% market share of the
credit card marketplace and 60.7% of the debit card marketplace in the United
States. In 2009, Visa’s global network (known as VisaNet) processed 62 billion
transactions with a total volume of $4.4 trillion.

Master Card

MasterCard Incorporated or MasterCard Worldwide is an

American multinational financial services corporation located in the MasterCard
International Global Headquarters, Purchase, New York, United

73
States. Throughout the world, its principal business is to process payments
between merchant banks and the card issuing banks or credit unions of the
purchasers who use the "MasterCard" brand debit and credit cards to make
purchases.

MasterCard, originally known as Master Charge, was created by

several California banks as a competitor to the BankAmeri card issued by Bank of
America, which later became the Visa credit card issued by Visa Inc.

Advantages of VISA/MasterCard1

 Increased Sales: Consumers spend more when they’re not constrained

by cash on hand.
 Customer Satisfaction: Customers will appreciate the fact that they
have the flexibility to pay the way they want to pay – including by credit or
debit card. Happier customers are more loyal customers.
 Speed of Checkout: Customers speed through checkout with rapid
electronic payment. No more counting change or waiting while customers
write cheques.
 Improved Efficiency: Card transactions today are conducted
electronically. Paperless payments can save time and money by
minimizing cash handling and payment reconciliation, giving more time to
focus on more important things.
 Safety: With lower volumes of cash, merchants are less vulnerable to theft
and pilfering.

Currency Conversion: Electronic payments on branded cards are settled in

the currency in which goods and services are sold, regardless of where the
cardholder is from.

Rupay Card: The National Payment Corporation of India (NPCI) products

include RuPay Credit Card, Rupay Debit Card, Rupay Kisan Credit Card, National
Common Mobility Card (NCMC) and National Electronic Toll Collection (NETC).
With these products the aim is to transform India into a ‘less-cash’ society by
touching every Indian with one or other payment services. With each passing
year we are moving towards our vision to be the best payments network globally.

1 www.mastercard.com.in

74
1.8.7 IP Address

An Internet Protocol address (IP address) is a numerical label assigned to each

device (e.g., computer, printer) connected in a computer network that uses
the Internet Protocol for communication. An IP address serves two principal
functions: host or network interface identification and location addressing. IP
addresses are binary numbers, but they are usually stored in text files and
displayed in human-readable notations, such as 172.16.254.1. The Internet
Assigned Numbers Authority (IANA) manages the IP address space allocations
globally and delegates five regional Internet registries (RIRs) to allocate IP
address blocks to Internet service providers and other entities. One can find an IP
address of a machine by typing IPCONFIG on a DOS prompt. To use the DOS
prompt one has to type CMD command in the ‘Run’ utility of MS Windows.

The designers of the Internet Protocol defined IP addresses as a 32-bit number

and this system is known as Internet Protocol Version 4 (IPv4), which is still in
use today. However, due to enormous growth of the Internet and depletion of
availability of addresses, a new version of IP address (IPv6), was developed using
128 bits in 1995 and its deployment has been ongoing since the mid-2000s. IPv6
addresses are also binary numbers and are usually stored in text files and
displayed in human-readable notations, such as 2001:db8:0:1234:0:567:8:1 (for
IPv6).

1.8.8 Routing

Routing is a process of selecting paths in a network for sending network traffic.

Routing is done in various kinds of networks such as the telephone
network (Circuit switching), electronic data networks (such as the Internet),
and transportation networks.

Typically, hardware devices such as routers, bridges, gateways, firewalls,

or switches are used for routing data packets in a network. General-
purpose computers can also forward packets and perform routing, though they
are not specialized hardware and may suffer from limited performance. The
routing process usually directs forwarding data packets on the basis of routing
tables which maintain a record of the routes to various network destinations.
Thus, constructing routing tables, which are stored in a router's memory, is very
important for efficient routing. Most routing algorithms use only one network
path at a time, but multipath routing techniques enable the use of multiple
alternative paths.

75
1.8.9 Public-key cryptography

Public-key cryptography refers to a cryptographic system requiring two

separate keys, one of which is secret and another is public. Both the keys are
linked to one another mathematically. The private key is used to encrypt text or
message intended to be sent by a user holding a private key. The public key is
used to decrypt a text message. It obviously means that private key or public key
cannot perform both the functions of an encryption and a decryption of a
message. The algorithms (mathematical logic) used for public key cryptography
are based on mathematical relationships (the most notable ones being the integer
factorization and discrete logarithm problems) that have no efficient solution. It
is easy for a sender to encrypt a message using a public key and it is extremely
difficult (or effectively impossible) for anyone to derive a private key, based only
on their knowledge of a public key.

Public key cryptography underpins such Internet standards as Transport Layer

Security (TLS), PGP, and GPG. There are three kinds of primary public key
systems: public key distribution systems, digital signature systems, and public
key cryptosystems, which can perform both public key distribution and digital
signature services.

1.8.10 Let us sum up

INFINET is the communication back-bone of Banks and Financial Institutions

meant for catering exclusively for inter-bank applications such as RTGS, Delivery
Vs Payment, Government Transactions, Automatic Clearing House etc. NFS
inter-connects banks’ switches and inter-bank payment gateways for E-
commerce transactions. Data warehousing is a collection of data of an
organization from various resources. For easy usage of data, sub-sets of data
warehouses are created, which are called data marts. Data mining is used to
identify trends and patterns of data. VISA and Master Cards are companies which
issue credit and debit cards to customers based on arrangements from banks. IP
Addresses are assigned to each computer in a network for identification purpose
during data communications. Routing is a mechanism used by routers in a
computer network to forward data packets choosing best possible paths. Public
Key cryptography refers to a cryptographic system requiring two separate keys,
one of which is a secret key and another is a public key.

1.8.11 Key Words

INFINET, NFS, Inter-bank Payment Gateway, Data Warehousing, Data Mining,

VISA, MasterCard, Rupay Card, IP Address, Routing, Public Key cryptography

76
1.8.12 Check your progress questions

Fill in the Blank Questions:

1. IDRBT means -----------
2. NPCI means -----------------
3. PKC includes two keys ------------- and --------------------
4. DSS means ------------------
5. IP address is useful -------
1.8.13 Key to questions asked

1. Institute of 2. National Payment 3. Private Key and a

Development and Corporation of India Public Key
Research in Banking Limited
Technology
4. Decision Support 5. to identify a computer or any other device
System and also useful for sending messages/files etc
to a specific computer

1.8.14 Terminal questions

 What are the advantages of having visa or master card logo on a debit or
credit card?
 What are the major achievements of NPCI and IDRBT in the Indian
Banking system?
 How Data warehousing and Data mining are useful for Decision Support
System in Banks?
 How Rupay card is distinct from Master or VISA Card? Its Advantages.

77
Unit 2: Banking Technology and Management
Lesson No. 1 Core Banking
Lesson No. 2 Delivery Channels
Lesson No. 3 Inter Bank Payments
Lesson No. 4 E-Commerce
Lesson No. 5 Back Office Operations
Lesson No. 6 Important Terminology

78
2 Unit 2: Banking Technology and Management

2.1 Lesson No. 1 Core Banking

2.1.1 Objectives
2.1.2 Introduction
2.1.3 Core Banking System Products (Net Banking, Mobile Banking, RTGS,
NEFT, IMPS, ATM, Micro ATM, POS, Kiosk
2.1.4 Branch Operations
2.1.5 System Administration and Server Administration
2.1.6 Let us sum up
2.1.7 Key words
2.1.8 Check your progress –questions
Key to questions asked
2.1.9 Terminal questions

79
2.1.1 Objectives

The objectives of this lesson are to understand

 Core banking technology adopted by most of Banks in India

 various activities that are related to core banking which are required to be
understood to ensure smooth and successful implementation the same in a
Banks.

Core Banking System in India

2.1.2 Introduction

The major objectives of bank automation are better customer service, flawless
book keeping and prompt decision-making that leads to improved productivity
and profitability. The concept of bank automation started in the year 1981, but it
was during the period 1984-1987 banks in India started the branch level
automation, making use of the then available MS-DOS based stand alone
computers. This initiative was taken by the banks on the basis of “First
Rangarajan Committee report” on bank computerization submitted in the year
1984. ALPMs (Advanced Ledger Posting Machines) were the fashion in those
days. However, the pace of bank automation was very slow in the banks primarily
owing to the lack of trade union consensus on bank automation.

Another committee was constituted in 1988 under the chairmanship of Dr. C

Rangarajan, the then Deputy Governor of RBI to slate down a perspective plan on
automation of banks for a five year period. This paved way to the implementation
of multi-user Total Branch Automation packages running on a LAN (Local Area
Network), either on a Netware or a UNIX operating system. With the
implementation of TBA, banks started to offer the facilities of exclusive Customer
Terminal, Single window transaction, on-line and off-site ATMs, Tele-Banking
etc.

But with the advent of new generation private sector banks in India during 1994-
1996, the real era of bank marketing started and these banks started to offer
anywhere and any time banking facilities to its customers. This was possible for
them mainly owing to the fact that they opted for the implementation of a WAN
(Wide Area Network) based centralised banking solution rather than a LAN
based branch banking solution to network their limited number of branch
outlets.

The old generation banks in India hesitated to follow this banking fashion on
account of its large network of branches on one hand and the then prevailing
exorbitant IT cost on the other hand. But with the globalization and liberalization
of Indian market and with the enactment of TRAI (with a mission to create and

80
nurture conditions for growth of telecommunications in the country in a manner
and at a pace which will enable India to play a leading role in emerging global
information society) during the late nineties, there happened a drastic reduction
in IT cost.

Improved telecommunication facilities and reduction in hardware as well as

networking cost changed the mindset of the banks in India to try the CBS option.
This also equipped them with the required technology leverage to compete in the
Indian market by offering the similar technology products and services, as those
offered by their new generation competitors.

Changing the face of Indian banking:

Changing the face of Indian banking It is a revolution that that has changed the
face of banking in India. The core banking solution (CBS) enabled the concept of
‘anytime, anywhere’ banking. The concept is all set to evolve from just being the
IT infrastructure automating banking operations to the only way of doing
banking in the future the large Indian banks undergoing a core banking
transformation, branches were the only viable banking channel for both
businesses and consumers. “Worse yet, these resource-constrained channels were
localized with respect to the information that they possessed. For example, if a
consumer opened an account at a branch near their home, that person would not
be recognized at other bank branches. This decentralized model restricted the
value of banking. Since most large banks and many other banks have
transformed their back office, anywhere and anytime banking is driving higher
levels of access and value to the end customers,” stated Don Free, Research
Director, Banking/Investments, Gartner.

No other sector has benefited from IT as much as the financial sector, in

particular banking. The process of bank automation started in the 1990s, and
since then there has been constant evolution. The implementation of CBS has
been marked by key milestones at every step. Indian banks have of course had the
last mover advantage while their counterparts in Western countries have been
struggling with the challenges of replacing legacy systems.

Core Banking Solutions:

Core Banking Solution (CBS) is networking of bank branches, which allows

customers to manage their accounts, and use various banking facilities from any
part of the world.

In simple term, there is no need to visit your own branch to do banking

transactions. You can do it from any location, any time. You can enjoy banking
services from any branch of the bank which is on CBS network regardless of
branch you have opened your account.

81
For the bank which implements CBS, the customer becomes the bank’s customer
instead of customer of particular branch.

Execution of Core banking system across all branches helps to speed up most of
the common transactions of bank and customer. In Core banking, the all
branches access banking applications from centralized server which is hosted in
secured datacenter.

Banking software/ application performs basic operations like maintaining

transactions, balance of withdrawal & payment, interest calculations on deposits
& loans etc. These banking applications are deployed on centralized server & can
be accessed using internet from any location.

The need for Core Banking Technology :

Nowadays, the use of Information Technology (IT) is must for the survival &
growth of any organization and same applicable to banking industry also. By
using IT in any industry, banks can minimize the operation cost; also banks can
offer products & services to customers at competitive rates.

CBS is required:

 To meet the dynamically changing market & customer needs.

 To improve & simplify banking processes so that bank staff can focus on
sales & marketing stuff.
 Convenience to customer as well as bank.
 To Speed up the banking transactions.
 To expand presence in rural & remote areas.

Basic activities of CBS that helps customers are:

 Internet Banking
 Mobile Banking
 ATM
 POS
 Kiosk Banking
 Micro ATM
 Fund Transfers – NEFT, RTGS, IMPS and FAQ on Banking facilities

Minimum features of Core Banking Solution:

 Customer-On Boarding.
 Managing deposits and withdrawals.
 Transactions management
 Interest. Calculation and management.
 Payments processing (cash, cheques, mandates, NEFT, RTGS
 Customer relationship management (CRM) activities.

82
 Designing new banking products.
 Loans disbursal and management.
 Accounts management
 Establishing criteria for minimum balances, interest rates, number of
withdrawals allowed, and so on.

Benefits of Core banking –

Core banking solutions are beneficial to both banks as well as customers.

Benefits for Customers

 Quicker services at the bank counters for routine transactions like cash
deposits, withdrawal, passbooks, statement of accounts, demand drafts
etc.
 Anywhere banking by eliminating branch banking.
 Provision of banking services 24 X 7.
 Fast payment processing through Internet banking, mobile banking.
 Anytime anywhere banking through ATMs.
 All branches access applications from central servers/datacenter, so
deposits made in any branch reflects immediately and customer can
withdraw money from any other branch throughout the world.
 CBS is very helpful to people living in rural areas. The farmers can receive
e-payments towards subsidy etc. in his account directly. Transfer of funds
from the cities to the villages and vice versa will be done easily.

Benefits for Banks

 Process standardization within bank & branches.

 Retention of customers through better customer service.
 Accuracy in transactions & minimization of errors.
 Improved management of documentation & records – having centralized
databases results in quick gathering of data & MIS reports.
 Ease in submission of various reports to the Government & Regulatory
boards like RBI.
 Convenience in opening accounts, processing cash, servicing loans,
calculating interest, implementing change in policies like changing interest
rates etc.

2.1.3 Core Banking Products

Core Banking System facilitated evolution of technology related products for

offering it to the customers.

Automated Teller Machines (ATMs): Banks could allow customers to

withdraw cash from ATM at the convenience of the customer from any place
wherever a Bank had its ATMs. Since balance in an account is instantaneously

83
updated in a Centralized database, the only requirement was to have the
connectivity of ATM to the Centralized database. Banks started offering various
facilities related to ATMs to customers. Balance in an account can be viewed.
Transfer of funds from one account to another account of a customer was
allowed. Customer can give request for a cheque book, can have his/her pre-paid
mobile recharged or he/she can make payment of utility bills using an ATM card.

The success of ATM helped banks come together and form a consortium. This
consortium helped customers to withdraw cash from ATMs of Banks covered
under a particular consortium. For Example: Customer of Bank of India could go
to ATM of State Bank of India to withdraw cash. Many consortiums such as
BANCS, CASH TREE etc. were formed to achieve this purpose. The major
initiative was undertaken by National Payment Corporation of India. It has set up
National Financial Switch (NFS). NFS has connected almost all the major
scheduled commercial banks, foreign Banks and co-op Banks. This has become
the largest consortium in India. It has offered connectivity to more than 95000
ATMs all over the country to the customers of the Banks under the consortium.

• It is important to recall the initiative undertaken by IBA to set up a similar

consortium SWADHAN, before the advent of Core Banking. Under the
consortium, customers were entitled to withdraw cash up to Rs. 5000.
This did not take off due to its own limitation of not updating the balances
immediately after a transaction is done.

POS (Point of Sale) -

POS Terminal is an automated version of a cash register operating through

various hardware and software devices. Today’s POS terminal can, not only,
record and track customers orders/transactions, but can also, process
credit/debit cards, connect to other systems in network and manage inventory. A
GPRS POS terminal can be moved anywhere as it has a SIM card and built in
battery, whereas a PISTN POS terminal is stationed at specific locations and
wired to the telephone.

Micro-ATM Device –
 The portable hardware like PoS
 Enables basic banking transactions remotely
 Key features of the device are:
o Wireless GPRS connectivity
o PCI-PED enabled PIN pad for entry of secure PIN
o QUERTY Keyboard
o Typically 4” screen
o Smart and Magstripe Card Readers
o Speaker to announce transaction for illiterate customer

84
 o Extended battery life
o Software Solution in the Micro-ATM Device connected to the
Financial Inclusion Server through SIM of a tele-communication
service provider
 Financial inclusion Server integrated with the Payment Switch installed
for issuing RuPay Cards linked to NFS

 The Hardware and the Software Solution to meet technical specifications

of NPCI as well as UIDAI to facilitate transmission of Data to NFS and to
CIDR in their required format

 UIDAI has announced Micro-ATM standards version 1.5.1 – all future

devices need to comply with these standards

 Biometric identification of the card holder, printing of transaction and

mini account statement.

 The cardholder can access Micro-ATM, can be of any bank linked to the
NFS.

 Primarily to provide basic banking facilities like

o Withdrawal of Money

o Deposit of Money

o Mini Statement

o Funds Transfer

to the cardholder through Business Correspondents in unbanked areas

for financial inclusion of the people residing in the remote areas
DCCBs to play an important role in this financial inclusion effort in respect
of their own customers and PACS’s member

Kiosk Banking

It is an Internet enabled PC based technology and extremely easy to use. Kiosk

transactions are bio – metrically secured. Printed acknowledgement of each
transaction is issued to the customer and has end to end process of account
opening and online transactions. Micro savings and micro remittances are done
through Savings Bank Accounts opened with CSP (Customer Service Points)
Kiosks. The Kiosk banking helps to become a mini branch of a Bank.

85
Internet Banking: Customer can access his/her account through the Internet.
Virtually all transactions are allowed to be done using the Internet. In fact a bank
branch is created in the personal computer of a customer. Internet Banking has
facilitated everything except withdrawal of cash. Utility payments, transfer of
funds inter-bank and intra-bank, cheque book requests, transfer of funds for
keeping it in fixed deposits and registering instructions for stop payment of
cheques, are the services offered to customers through the Internet Banking. E-
commerce has gathered momentum because customers can effect payment either
through debit cards/credit cards or through the Internet Banking account.

Mobile Banking: Initially Banks facilitated Pull messaging service to

customers wherein they can send SMSs for knowing balances from their
accounts, viewing last four transactions and getting details of cheques deposited.
With the advancement of the technology in Mobile instruments, Banks have been
offering all facilities which customer can avail through Internet Banking. In fact a
bank branch is created on a palm top of a customer.

IMPS: NPCI has initiated another notable service called Inter-Bank Mobile
Payment Service (IMPS). Customers of member Banks who are connected to this
initiative can transfer funds from one account to another account anywhere in
India using a mobile instrument.

Payment Services: Core Banking has facilitated electronic payments in the

country. Cheque was the only mode of payment for settlement of claims between
two parties. Now various options are available to customers for this purpose.

Electronic Clearing Service (ECS): This service helps customers to effect

debit and credit transactions. Credit ECS is used for payment of dividend on
shares, periodic interest payments, utility bill payments, salary of employees etc.
Every Bank has to extract the credit file for this purpose and send it to a Clearing
house. Electronically the file is divided and sent to respective banks who upload it
in a Core Banking Database. Without manual intervention, thousands and lakhs
of credit payments are made using ECS (credit).

ECS (debit) has replaced post dated cheques given to Banks/companies towards
payment of loan installments. Now the mandate for debiting the account duly
signed by the customer and acknowledged by the Bank where he/she has
current/saving account is given to the Bank/company giving loans. On the
strength of the mandate, the ECS debit file is sent to the clearing house for its
onward transmission to the respective Banks.

National Electronic Fund Transfer (NEFT) & Real Time Gross

Settlement (RTGS): Customers can transfer funds from their account to any

86
account in the country. In case of NEFT there is no restriction on the amount to
be transferred.

Online trading: Customers can do trading in shares online, using the platform
provided by a Bank through internet. On purchase and sale, customers account is
debited/credited for an amount of purchase/sale value and changes are effected
in Demat account as well. Online delivery of shares and online settlement of
transactions is the key feature of online trading.

Debit Card/Credit Card: Customers can make use of debit cards and credit cards
for virtually every type of transactions. Plastic card has, to a great extent reduced
movement of physical cash. Earlier credit card was given to the creditworthy
customers only. With the onset of Core Banking, Banks started issuing debit
cards to every account holder who can use it for doing purchases, settling utility
bill payments, booking of rail/air tickets, payment of subscription etc. In case of
debit card transaction happens after debiting customer’s account and in case of
credit card transaction is allowed up to a credit limit granted. Customer receives
SMSs for the transactions done immediately.

2.1.4 Branch operations

In the era of branch automation, all transactions of a branch were processed

within a branch only. From cash transactions to transfer and clearing
transactions branch staff were involved. At the end of each day, cash book was
prepared by the branch staff. In the process, branch staff was pre-occupied in
completing back office operations and customer service was neglected. Core
Banking has enabled Banks to change focus in a branch from back office activities
to Customer service and marketing. Following are the areas that relate to the
back office activities which are not required to be done from a branch. To
leverage the core banking to the fullest extent most of the banks have centralized
these operations by shifting it from the branches.

Account opening: All types of accounts (current & savings as well as fixed
deposits & loan) are opened from a centralized place. The forms are sent to these
centres by the branches. In case of CASA accounts, this has helped Banks to do
the KYC checking at the Centralized locations where accounts are opened. This
has minimized the chances of opening non-compliant KYC accounts. Fixed
deposit receipts are sent directly to customers.

Outward Clearing & Inward Clearing: Collection of cheques through

clearing as well as collection of outstation cheques is one of the major activities
branches used to handle every day. This activity is now shifted to centralized
locations in every city. Cheques are sent through courier to the designated centres

87
by branches and these centres will process the cheques and present the same to
the clearing house of that place and also handle the return of cheques. Under the
Cheque truncation method images are sent through dedicated leased lines.
Similarly inward clearing activity is also handled from central location without
involving branch staff. The electronic file received from Clearing House is
uploaded into the system to do the posting to respective accounts. Thereafter the
officials have to do the checking of the apparent tenor of the instrument and
verification of signature. Advanced cheque scanning machines are used to detect
the frauds as these machines are (ultra violet lamp) UV enabled which detect the
alterations in the instruments. These machines also detect if the Xerox copy of a
cheque instrument and fraudulently presented.

Day Begin and Day End operations: These are the routine activities which
are to be carried out for the banking activities to commence or for closing the
books for the day. Usually these activities are carried out from a Data Centre
where the data of a Bank is centrally located.

Periodic interest payments: Apart from the accuracy in calculating interest,

it is essential to complete the process in a stipulated time. These activities are
also carried out at the Data centre where such operations are run at night after
closure of branch operations.

2.1.5 System administration & server administration

When a database is hosted at the centralized locations, it is obvious that the

production servers and application servers are to be administered on a regular
basis to avoid breakdown of the system. Specialized persons are engaged for
handling these activities. The team takes care of regular update of the anti-virus
patch on all the machines/servers in use at the Data centre as well as at branches.
Apart from the patch updation, scanning of servers and nodes is done by the
team by auto scheduling the activities. The team also applies the patches
regularly related to the operating system received online from the vendors. The
team takes care of the security requirement by doing the hardening of the servers
as per the security policy adopted by a Bank.

Database administration

Every Bank has to have database with in-built security features as well as the
features that enables scalability in their operations. Oracles, DB2, Sybase, MS-
SQL, Mysql are the databases which are in use in banks. Database administrators
(DBAs) at a datacenter continuously monitor the database. Using advanced
monitoring tools, they check the CPU utilization, memory utilization, % waits
during peak hours as well as at times when the processes are running. After heavy

88
inserts of data, particularly after batch processes for interest calculations are run,
DBAs carry out rebuilding of the indexes as well as updating the statistics needed
for planning of queries internally, by databases. The logs generated by a database
are monitored from remote place by the vigilance team of a Bank to ensure that
the unauthorized updates are not run by the DBAs.

Network administration: The basic premise for Core Banking System is the
inter-connectivity between branches and the Data Centres. If connectivity is lost,
branches would not be able to carry out any operations in the system. Customers
too would not be able to do any transactions from ATM or through Internet. It is
therefore essential to monitor the network on a continuous basis. While
monitoring networks the following activities are carried out:

 The connectivity between branches and data centre is up and running;

 The utilization of Bandwidth should within the priorities set at the router
level;
 No machine at a data centre and or at a branch should be doing
broadcasting. This clogs bandwidth and slows down the performance. This
may happen due to virus in the system.
 The Local Area Network (LAN) connectivity in a branch is not disturbed
due to faulty cabling or any other civil activity carried out in a branch;
 No untoward activities are noticed in the firewall through which messages
are passed on to the data servers;
2.1.6 Let us sum up

Computerization in Indian Banks had started way back in 1975. Despite the
automation, branches of banks remained in isolation without inter-connectivity
between branches and Head Offices. Advancement in Networking,
Software/Hardware technologies helped to make Core Banking Solutions (CBS) a
reality. CBS made possible banking operations any-time, anywhere. CBS offers
various services such as ATMs, Internet Banking, Mobile Banking, Online
Trading, Card payments, Utility Bills payments to name a few. CBS made branch
operations easy. Branches are able to concentrate on customer service and
marketing rather than clogging back-end operations. Activities such as account
opening, in-word, out-word clearing, day-begin, day-end operations and periodic
interest payment are done from a central place. The other Technical activities like
System Administration, Database Administration and Network Administration
are carried out from a centrally located place.

89
2.1.7 Key words

Computerization, Automation, Networking, Software, Hardware, Database, OS,

Networking CBS, ATMs, Micro ATMs, POS, Kiosk Banking, NFS, RTGS, NEFT,
IMPS and ECS

2.1.8 Check your progress-questions

Fill in the Blanks /Multiple Choice questions:

1. DBA means -----------------------

2. SA means ------------------------

3. Which one of the following is not a DBMS?

a. Oracle b. Sybase
c. DB2 d. PL/SQL.

4. Which one of the following is not a core banking solution?

a. Oracle b. Swiftcore
c. Flexicube d. Finacle

5. Core Banking Solutions have enabled banks for------------

a. Any branch banking b. Providing bank services

c. Introducing new products
which can be offered purely based
on technology
through multiple delivery
channels
d. All of the above

Key to questions asked

1. Data Base 2. System 3.d

Administrator Administrator
4. a 5.d

2.1.9 Terminal questions

 Which are the products offered by Banks after the Core Banking system is
implemented?

90
 What are the initiatives taken by banks in India with regard to payment
systems after adopting the Core Banking Solutions?
 What are the electronic money transfer modes available from Banking
channels?

91
2.2 Lesson No. 2 Delivery channels

2.2.1 Objectives
2.2.2 Introduction
2.2.3 Automated Teller Machines, FAQ on White level ATMs
2.2.4 Internet Banking
2.2.5 Mobile/ SMS banking
2.2.6 Phone banking
2.2.7 Debit cards
2.2.8 Credit cards and FAQ on Cards
2.2.9 Other Digital Payment Systems –UPI, BHIM,*99#,Bharat QR Code, NACH,
AEPS, APBS/DBT, BBPS, Pre Paid Instruments and E- Wallets
2.2.10 Let us sum up
2.2.11 Key words
2.2.12 Check your progress- questions
Key to questions asked
2.2.13 Terminal questions

92
2.2.1 Objectives

The objectives of this lesson are to understand

 Great details of the delivery channels offered by Core Banking Solutions

 Plastic cards which are replacing the physical cash as a mode of settlement
of payments.
2.2.2 Introduction

Branchless banking is a distribution channel strategy used for delivering financial

services without relying on bank branches. While the strategy may complement
an existing bank branch network for giving customers a broader range of
channels through which they can access financial services, branchless banking
can also be used as a separate channel strategy that entirely forgoes bank
branches.

2.2.3 Automated Teller Machine

Branches traditionally have been accepting cash as well as paying cash as per the
mandate of a customer. Automatic Teller Machine popularly known as ATMs
have been introduced in Banks for doing this manual activity. In India, ATM
machines are popular for withdrawing cash as and when required. Hence these
machines are called cash dispensing machines. These machines are capable of
handling virtually all the operations that a teller performs in a branch. These
machines can handle following activities:

 Accept Cash
 Dispense Cash
 Provide details of balance in an account
 Allow utility bill payments
 Recharging of Mobiles
 Transfer of funds
 Requests for issuing a cheque book

Core Banking has enabled updation of balances in an account immediately after a

transaction is done. Customers get SMS messages after a transaction is done
from an ATM. The nationwide consortium formed by National Payment
Corporation of India (NPCI) has enabled customers of the member Banks to do
ATM transactions from any ATM (nearly over 95000) all over the country.

93
 FAQs on ATM / White-label ATM
[as sourced from RBI website]

Q.1. What is an Automated Teller Machine (ATM)?

Ans 1. Automated Teller Machine is a computerized machine that provides the

customers of banks the facility of accessing their account for dispensing cash and
to carry out other financial & non-financial transactions without the need to
actually visit their bank branch.

Q.2. What are White Label ATMs (WLAs)?

Ans 2. ATMs set up, owned and operated by non-banks are called White Label
ATMs. Non-bank ATM operators are authorized under Payment & Settlement
Systems Act, 2007 by the Reserve Bank of India.

Q.3. What is the difference between ATM and WLA (White Label ATM)?

Ans 3. i) In White Label ATM scenario, logo displayed on ATM machine and in
ATM premises pertain to WLA Operator instead of a bank. However, for a
customer, using WLA is just like using the ATM of other bank (bank other than
card issuing bank). ii) Acceptance of cash deposits at the WLAs is not permitted
at present.

Q.4. What has been the rationale of allowing non-bank entities for setting up of
WLAs?

Ans 4. The rationale of allowing non-bank entity to set up White Label ATMs has
been to increase the geographical spread of ATM for increased / enhanced
customer service.

Q.5. What type of cards can be used at an ATM/WLA?

Ans 5. The ATM/ATM cum debit cards, credit cards and open prepaid cards (that
permit cash withdrawal) issued by banks can be used at ATMs/WLAs for various
transactions.

Q.6. What are the services/facilities available at ATMs/WLAs?

Ans 6. In addition to cash dispensing, ATMs/WLAs may offer many other

services/facilities to bank customers. Some of these services include:

 Account Information
 Cash Deposit (Acceptance of deposits are not permitted at WLAs)
 Regular Bills Payment (not permitted at WLAs)

94
  Purchase of Re-load Vouchers for Mobiles (not permitted at WLAs)
 Mini/Short Statement
 PIN change
 Request for Cheque Book

Q.7. How can one transact at an ATM/WLA?

Ans 7. For transacting at an ATM/WLA, the customer inserts /swipes his/her

Card in the ATM/WLA and enters his/her Personal Identification Number (PIN).
Usually the transactions are menu driven for facilitating easy

Q.8. What is Personal Identification Number (PIN)?

Ans 8. PIN is the numeric password which is separately mailed / handed over to
the customer by the bank while issuing the card. Most banks require the
customers to change the PIN on the first use. Customer should not disclose PIN
to anybody, including to bank officials. Customers should change the PIN at
regular intervals.

Q.9. Can these cards be used at any bank/non-bank ATM (WLA) in the country?

Ans 9. Yes. The cards issued by banks in India may be used at any bank / white
label ATM in the country.

Q.10. Are customers entitled to any free transactions at ATMs?

Ans.10. Yes. With effect from November 01, 2014, a bank must offer to its savings
bank account holders a minimum number of free transactions at ATMs as under:

I. Transactions at a bank’s own ATMs at any location: Banks must offer their
savings bank account holders a minimum of five free transactions
(including both financial and non-financial) in a month, irrespective of the
location of ATMs.
II. Transactions at any other banks’ ATMs at Metro locations: In case of
ATMs located in six metro locations, viz. Mumbai, New Delhi, Chennai,
Kolkata, Bengaluru and Hyderabad, banks must offer their savings bank
account holders a minimum of three free transactions (including both
financial and non-financial transactions) in a month.
III. Transactions at any other banks’ ATMs at Non-Metro locations: At other
locations, banks must offer the savings bank account holders a minimum
of five free transactions (including both financial and non-financial
transactions) in a month at other bank ATMs.

RBI has mandated only the minimum number of free transactions at ATMs.
Banks may offer more number of transactions free of cost to their customers.

95
The above does not apply to Basic Savings Bank Deposit Accounts (BSBDA) as
withdrawals from BSBDA are subject to the conditions associated with such
accounts,

Q.11. Are customers charged for any transaction at ATMs?

Ans 11. Yes, customers can be charged for transactions at ATMs over and above
the mandated number of free transactions (as indicated in answer to Q.10 above).
In case a bank decides to levy charges, the customer can be charged a maximum
of Rs. 20/- per transaction (plus service tax, if any) by his/her bank.

Q.12. What should be done if card is lost / stolen?

Ans 12. The customer should contact the card issuing bank immediately on
noticing the loss / theft of the card and should request the bank to block the card.

Q.13. From where the customer can get the contact numbers for lodging a
complaint?

Ans 13. Banks are required to display the name and the contact numbers of
concerned officers/toll free number/help desk numbers in the ATM premises.
Similarly, in WLAs, contact number of officials/toll free numbers/ helpline
numbers are also displayed for lodging any complaint regarding failed/disputed
transactions.

Q.14. What steps should a customer take in case of failed ATM transaction at
other bank/white label ATMs, when his / her account is debited?

Ans 14. The customer should lodge a complaint with the card issuing bank at the
earliest. This process is applicable even if the transaction was carried out at
another bank’s/non-bank’s ATM. In case of WLAs, the contact number/toll free
numbers are also available for lodging complaints regarding failed transactions at
their ATMs.

Q.15. Is there any time limit for the card issuing banks for recrediting the
customers account for a failed ATM/WLA transaction indicated under Q. No. 13?

Ans 15. As per the RBI instructions (DPSS.PD.No.2632/02.10.002/2010-2011

dated May 27, 2011), banks have been mandated to resolve customer complaints
by re-crediting the customer’s account within 7 working days from the date of
complaint.

Q.16. Are the customers eligible for compensation for delays beyond 7 working
days?

Ans 16. Yes. Effective from July 1, 2011, banks have to pay compensation of Rs.
100/- per day for delays in re-crediting the amount beyond 7 working days from

96
the date of receipt of complaint for failed ATM transactions. The compensation
has to be credited to the account of the customer without any claim being made
by the customer. If the complaint is not lodged within 30 days of transaction, the
customer is not entitled for any compensation for delay in resolving his / her
complaint.

Q.17. What is the course of action for the customer if the complaint is not
addressed by his/her bank within the stipulated time / not addressed to his
satisfaction?

Ans 17. The customer can take recourse to the Banking Ombudsman, if the
grievance is not redressed by the his/her card issuing bank.

Q.18. What is the Grievance Redressal Mechanism available to users of WLAs in

case of failed/disputed WLA transactions?

Ans 18. The Grievance Redressal Mechanism available to users of WLA is same as
that available to users of banks’ ATMs for failed/disputed transactions. While the
primary responsibility to redress grievances of customers relating to failed
transactions at such WLAs will vest with the card issuing bank, the sponsor bank
will provide necessary support in this regard, ensuring that White Label ATM
Operator (WLAO) makes available relevant records and information to the
Issuing bank.

Q.19. What should be done to the ATM card when the card is expired or the
account is closed?

Ans 19. Customer should destroy the card upon card expiry or closure of account,
cut it into four pieces through the magnetic strip/chip before disposing it off.

Q.20. How shall the customer keep his/her ATM/WLA transaction secure?

Ans 20. Customers should observe following Do’s and Don’ts to keep their
transaction safe and secure at ATM/WLA:

 Customer should conduct any ATM/WLA transaction in complete privacy.

 Only one card holder should enter and access ATM/WLA kiosk at a time.
 He/she should never lend his/her card to anyone.
 Do not write PIN on the card.
 Never share PIN with anyone or seek help from anybody by handing over
the card and revealing the PIN.
 Never let anyone see the PIN while it is being entered at the ATM
 Never use a PIN that could be easily guessed. e.g. his/her birthday,
birthday of spouse or telephone number.
 Never leave card in the ATM/WLA.
 Register mobile number with the card issuing bank for getting alerts for
ATM /WLA transactions. Any unauthorized card transaction in the

97
 account, if observed, should be immediately reported to the card issuing
bank.
 Beware of any extra devices attached to the ATMs/WLAs. These may be
put to capture customer’s data fraudulently. If any such device is found,
inform the security guard / bank/ white label ATM entity maintaining it
immediately.
 Keep an eye on suspicious movements of people around ATMs/WLAs.
Customer should beware of strangers trying to engaging him/her in
conversation or offering assistance / help in operating the ATM

Remember that bank officials will never ask for card details or PIN over
telephone / email. So, do not respond to any vishing / phishing mails from people
indicating that they represent your bank.

2.2.4 Internet banking

Internet Banking is one of the fastest, most convenient way to access Bank
accounts, view balances, transfer funds and pay your bills online. Using unique
Customer ID and password, customer can perform banking transactions online,
whenever and wherever he/she wants, from any PC with Internet access. It's
safe, convenient and it's FREE.

Customer can access Internet Banking using the following browsers:

 Internet Explorer - versions 5.5 onwards

 Netscape - versions 7.1, and 7.2
 Safari version 1.2
 Mozilla/Firefox version 1.0
 Google Chrome
Customer can save the URLs of Internet Banking by clicking on the favourite
menu in the menu bar of Internet explorer or with similar functions in other
browsers. Thereafter, whenever customer wants to open internet banking page
he/she has to click on the saved favorite option.

To avail Internet Banking facility, customer should have account with a Bank.
He/she can be a savings account holder or a current account holder or a loan
account holder or a term deposit holder or multiple of these accounts. Normally
customers have to make a request to a branch or they can download the
requisition form from Bank’s website and submit it to a branch. Thereafter,
customer will receive a Customer Id and a Password for accessing the Internet
account.

98
After customer logs in, he/she can view all the account transactions with details
of latest balances in his/her account. In addition he/she can view a statement of
account or take a print out if machine is linked to a printer. In addition customer
can give requisition for a cheque book or stop payment of a cheque through
Internet Banking. Fund transfer is also enabled by most of the Banks.

Thanks to the sophistication of encryption, sending and receiving information

through Internet Banking is more reliable than ever. Encryption helps to keep
information private (such as PIN or the transactions performed) between the
bank's computer and your Internet browser. Most of the Banks have provided
dynamic virtual key board which is to be used for keying the password. Please
refer in the Annexure RBI Circular on Internet Banking facility for customers of Coop
Bank – DCBR.BPD.(PCB/RCB)Cir no6/19.51.026/2015/16 Dated 05, Nov 2015

2.2.5 Mobile banking/SMS banking

Initially Banks offered Mobile enabled push and pull SMS services. Under Push
SMS services, Banks send SMS to customers for various purposes. Whenever a
transaction is done on ATM or POS as per RBI directive, Banks are bound to send
SMSs alert to customers giving details of transactions done from ATMs. In
addition Banks send SMS in following cases:

 Thanks giving SMS after an account is opened with a Bank;

 SMS alert whenever personalized cheque book is sent through a Courier;
 Notices about a fixed deposit maturing within 15 days is given through
SMSs;
 Intimation about the renewal of a matured deposit is sent;
 SMS for cheque deposited by a customer as well as cheque presented in
the account through clearing is given;
 SMS for all credit and debit transactions in an account in excess of
particular limit are sent;
 SMS informing customers about launch of the new product, new offers
initiated etc.
In Pull SMS, customers can get following services by sending SMS with pre-
defined codes:

 Balances in the accounts of a customer

 Details of cheques presented
 Mini statement of account

99
  Cheque book request
In the recent past, National Payment Corporation of India has initiated Inter
Bank Mobile Payment Services (IMPS). Under this initiative, Banks are inter-
connected with one another. Customers of the member Banks can transfer funds
from one account to another account using a mobile phone. These services are
provided in two forms: SMS based and through mobile application downloaded
on a mobile. The launch of these services has opened up floodgates for financial
inclusion. Business correspondents using mobile instruments can offer banking
services to customers in rural areas. Please refer in Annexure RBI Master
circular-Mobile Banking transactions in India – operative guidelines for Banks.
DPSS. Co. PD. Mobile Banking No1/02.23.001/2015 – 16 dated July 01, 2015.

2.2.6 Phone banking

Phone Banking enables customers to get the details of an account over phone.
Customer after keying in the password given by banks can get details of balances
in his/her account, transaction details, request for demand draft or cash at
his/her residence etc. After the SMS enabled Mobile Banking was facilitated by
Banks, customers have been using phone banking for ventilating service related
issues and for seeking information about the products of Banks.

2.2.7 Debit card

This is the direct outcome of the Core Banking Solutions implemented by Banks.
Every Account holder gets a debit card from a Bank. The debit card is used for
following purposes.

 Withdrawing cash from ATMs of any bank.

 Doing fund transfers in the accounts;
 Utility payments and for recharging the mobile;
 Doing E-commerce transactions on internet such as booking of
travel/hotels, purchase of any consumer article and payment of
subscription;
 Settling payments with the merchandise on his/her POS (Point of sale) in
the malls /shops and restaurants;
All the transactions are updated instantaneously in a Core Banking database. In
view of this feature, customer cannot draw cash in excess of the available balance
in the account.

100
Debit Card is to be used with pin given by a Bank. Customer can periodically
change pin. If the card is lost, customer can get it hot-listed by informing his/her
Bank. Most of the Banks are providing insurance upto a particular limit to guard
customer against any financial loss incurred in case card is lost and misused.

Misuse of a card is possible only when it is used for settling claims on POS. Hence
it would be mandatory for every customer to key in a pin on POS for settling
claims. These guidelines once effective would minimize the losses due to Debit
cards.

2.2.8 Credit cards

Most of the Banks issue Credit Cards to their customers. Credit cards entitle a
customer to use it up to a limit approved by a Bank. It is similar to an overdraft
facility given by a Bank to a customer on the basis of his/her financial credentials
Co-op Banks are not allowed to issue Credit Cards either directly or through sub-
membership with any other card issuing bank.

In case of Credit Cards, customers are required to settle the amount drawn within
one month. The billing cycle is of one month. Customer therefore gets a credit for
the transactions done for a period of one month. Like a Debit Card, customers
can use the Credit Card for all the purposes stated above. In case of Credit Cards
as well, customers are given an insurance cover to guard against the possible
losses which may incur due to loss of the card and its misuse.

Most of the Banks get the Cards accredited with VISA or MasterCard. This helps
customers to use the card not only in India but also internationally at all places.
In India, NPCI has launched RUPAY card, thus all the customers having debit
cards as well credit cards issued by member Banks will have wide currency.

FAQs on Types of Cards

[as sourced from RBI website]

Q. No. 1: How many types of cards are available to a customer?

Ans: Cards can be classified on the basis of their issuance, usage and payment by
the card holder. There are three types of cards (a) debit cards (b) credit cards and
(c) prepaid cards.

Q. No. 2: Who issues these cards?

Ans: Debit cards are issued by banks and are linked to a bank account. Credit
cards are issued by banks / other entities approved by RBI. The credit limits
sanctioned to a card holder is in the form of a revolving line of credit (similar to a
loan sanctioned by the issuer) and may or may not be linked to a bank account.

101
Prepaid cards are issued by the banks / non-banks against the value paid in
advance by the cardholder and stored in such cards which can be issued as smart
cards or chip cards, magnetic stripe cards, internet accounts, internet wallets,
mobile accounts, mobile wallets, paper vouchers, etc.

Q. No. 3: What are the usages of debit cards?

Ans: The debit cards are used to withdraw cash from an ATM, purchase of goods
and services at Point of Sale (POS)/E-commerce (online purchase) both
domestically and internationally (provided it is enabled for international use).
However, it can be used only for domestic fund transfer from one person to
another.

Q. No. 4: What are the usages of credit cards?

Ans: The credit cards are used for purchase of goods and services at Point of Sale
(POS) and E-commerce (online purchase)/ through Interactive Voice Response
(IVR)/Recurring transactions/ Mail Order Telephone Order (MOTO). These
cards can be used domestically and internationally (provided it is enabled for
international use). The credit cards can be used to withdraw cash from an ATM
and for transferring funds to bank accounts, debit cards, credit cards and prepaid
cards within the country.

Q. No. 5: What are the usages of prepaid cards?

Ans: The usage of prepaid cards depends on who has issued these cards. The
prepaid cards issued by the banks can be used to withdraw cash from an ATM,
purchase of goods and services at Point of Sale (POS)/E-commerce (online
purchase) and for domestic fund transfer from one person to another. Such
prepaid cards are known as open system prepaid cards. However, the prepaid
cards issued by authorised non-bank entities can be used only for purchase of
goods and services at Point of Sale (POS)/E-commerce (online purchase) and for
domestic fund transfer from one person to another. Such prepaid cards are
known as semi-closed system prepaid cards. These cards can be used only
domestically.

Q. No. 6: Is there any limit on the value stored in a prepaid card?

Ans: Yes, as per extant instructions, the maximum value that can be stored in any
prepaid card (issued by banks and authorised non-bank entities) at any point of
time is Rs 50,000/-

Q. No. 7: Can prepaid cards of lesser limits be issued?

Ans: Yes. The following types of semi closed pre-paid payment instruments can
be issued by carrying out Customer Due Diligence as detailed by the banks and
authorised non- bank entities:

102
 a. Up to Rs.10, 000/- by accepting minimum details of the customer
provided the amount outstanding at any point of time does not exceed Rs
10,000/- and the total value of reloads during any given month also does
not exceed Rs 10,000/-. These can be issued only in electronic form;
b. from Rs.10,001/- to Rs.50,000/- by accepting any ‘officially valid
document’ defined under Rule 2(d) of the PML Rules 2005, as amended
from time to time. Such PPIs can be issued only in electronic form and
should be non-reloadable in nature;
c. up to Rs.50,000/- with full KYC and can be reloadable in nature. The
balance in the PPI should not exceed Rs.50, 000/- at any point of time.

Q. No. 8: Who decides the limits on cash withdrawal or purchase of goods and
services through use of a card?

Ans: The limits on cash withdrawal at ATMs and for purchase of goods and
services are decided by the issuer bank. However, in case of cash withdrawal at
other bank’s ATM, there is a limit of Rs 10,000/- per transaction. Cash
withdrawal at POS has also been enabled by certain banks wherein, a maximum
of Rs.1000/- can be withdrawn daily by using debit cards.

Q. No.9: Is the customer charged by his/her bank when he uses his debit card at
other banks ATM for withdrawing cash?

Ans: As per extant instructions, the savings bank account customer will not be
charged by his/her bank up to five transactions (inclusive of both financial and
non-financial transactions) in a month if he/she uses an ATM of another bank.
However, within this overall limit of five free transactions, for transactions done
at ATM of another bank located in the six metro centres, viz. Mumbai, New Delhi,
Chennai, Kolkata, Bengaluru and Hyderabad, the free transaction limit is set to
three transactions per month.

Q. No.10: Where should the customer lodge a complaint in the event of a failed
ATM transaction (account debited but cash not dispensed at the ATM)?

Ans: The customer has to approach his/her bank (bank that issued the card) to
lodge a complaint in the event of a failed ATM transaction.

Q. No.11: What is the time limit for resolution of the complaint pertaining to
failed ATM transaction?

Ans: The time limit, for resolution of customer complaints by the issuing banks,
is within 7 working days from the date of receipt of customer complaint. Hence
the bank is supposed to re-credit the customer’s account within 7 working days.
For failure to re-credit the customer’s account within 7 working days of receipt of
the complaint from the customer, the bank is liable to pay Rs 100 per day as
compensation to the customer.

103
Q. No. 12: What is the option for a card holder if his complaint is not redressed by
the issuer?

Ans: If a complainant does not get satisfactory response from his/her bank within
a maximum period of thirty (30) days from the date of his lodging the complaint,
he/she will have the option to approach the Office of the Banking Ombudsman
(in appropriate jurisdiction) for redressal of his grievance.

Q. No. 13: How are the transactions carried out through cards protected against
fraudulent usage?

Ans: For carrying out any transactions at an ATM, the card holder has to key in
the PIN which is known only to him/her for debit/credit and prepaid cards.
However, for carrying out transactions at POS too, the card holder has to key-in
the PIN which is known only to the card holder if a debit card is used. In the case
of credit card usage at POS the requirement of PIN depends on the banks policy
on security and risk mitigation. In the case of e-commerce transactions,
additional factor of authentication is applicable except in case of international
websites.

Q. No. 14: What are the liabilities of a bank in case of fraudulent use of a card by
unauthorised person?

Ans: In case of card not present transactions RBI has mandated providing
additional factor of authentication (if the issuer bank and e-commerce merchant
bank is in India). Hence, if a transaction has taken place without the additional
factor of authentication and the customer has complained that the transaction is
not effected by her/him, then the issuer bank shall reimburse the loss to the
customer without demur.

Q. No. 15: Is there anyway a customer can come to know quickly whether a
fraudulent transaction has taken place using his/her card?

Ans: RBI has been taking various steps to ensure that card payment environment
is safe and secure. RBI has mandated banks to send online alerts for all card
transactions so that a card holder is aware of transactions taking place on his /
her card.

Q No. 16: What is the mandate for banks for issuing Magnetic stripe cards or
Chip-based cards?

Ans: RBI has mandated that banks may issue new debit and credit cards only for
domestic usage unless international use is specifically sought by the customer.
Such cards enabling international usage will have to be essentially EMV Chip and
Pin enabled. The banks have also been instructed to convert all existing Mag-
stripe cards to EMV Chip card for all customers who have used their cards
internationally at least once (for/through e- commerce/ATM/POS).

104
2.2.9 Other Digital Payment systems are outlined below.

105
Future of Banking….
 “We need banking but we
don’t need banks anymore”
(Bill Gates, 1997)

106
• Single mobile application for accessing different bank accounts
• Immediate money transfer through mobile 24*7 and 365 days
• Single Click - 2 Factor Authentication
• Virtual address of the customer for Pull & Push
• Better security as customer not required to enter details such
as Card no, Account number; IFSC etc…
• Best answer to Cash on Delivery, running to an ATM or
rendering exact amt.
• Scheduling PUSH and PULL Payments for various purposes
• Utility Bill Payments, Over the Counter Payments, Barcode
based payments

107
• Bharat Interface for Money

• App developed by NPCI for mobile

transactions using UPI

• Following services are available:

• Send Money
• Receive Money
• Scan & Pay
• Transactions-check transaction
history
• Profile
• Bank Account.

108
• NUUP (National Unified USSD Platform) is a USSD
based mobile banking service from NPCI launched in
2012
• Unstructured Supplementary Service Data (USSD) –
technology in GSM mobiles
• Common number across all Telecom Service
Providers (TSPs)
• Works in English + 11 Regional languages
• Works across all GSM mobile handsets
• No application installation required on the mobile
handset
• Works without Internet – Uses voice connectivity
• Can transact through an interactive menu displayed
on the mobile screen.
• Key services offered under *99# service include,
interbank account to account fund transfer, balance
enquiry, mini statement besides host of other
services.
• Financial / Non-Financial Services:
• Balance Enquiry
• Mini Statement
• Fund Transfer – MMID
• Fund Transfer - Account No.
• Fund Transfer – Aadhaar
• Know MMID
• Change M-PIN
• Generate OTP
• Value Added service
• QSAM (Query Service on Aadhaar Mapper)
– This service helps user in knowing their
Aadhaar Seeding status with their bank
account.
109
 • This service can be availed by dialing
*99*99#
• Bharat QR Code
• Launched on 20th February 2017
• World’s 1st inter-operable, low-cost, acceptance
solution
• Infrastructure-light: Allows ME to accept digital
payments, even without a card swiping terminal
• Alternative to PoS device
• Jointly developed by MasterCard, VISA and RuPay
• Benefit: One QR Code across all payment networks
• Presently only on smartphones; a deployment option
via USSD is on the cards
• Customer has to exercise a one-time option using any
bank’s app
• Mobile apps of multiple banks supporting Bharat QR
possible from the same phone
• Mapping multiple accounts/cards within the same
bank’s mobile app is possible
• Transactions limits are set by each bank based on
customer profile
• Secure: all transactions authenticated using M-PIN
• One-time process to on-board MEs, after due diligence
• Bharat QR presently available on Android and iOS
operating systems.

• Alternate channel for ECS - launched by NPCI in 2012

• Centralised system aims to consolidate all ECS

110
• Advantages over ECS:
• Standardisation & digitisation of mandates
• Simplification
• Reduction in cost
• Lower activation/turnaround time (30 days to10
days)
• NACH enables Aadhar based payments (AEPS
and APBS)

 Aadhar Enabled Payment System (AEPS)

 Payment system using Aadhaar as an authentication

mechanism

Aadhar Payment Bridge (APBS)

 Centralised Electronic transfer system to transfer

Government benefits to multiple beneficiaries using
Aadhaar

111
 Tool for Direct Benefit Transfer (DBT)

• Over 30,800 million bills amounting to Rs.6223

billion are generated each year in the top 20 cities in
the country (RBI Committee-Padmanabhan, 2013)

• BBPS developed by NPCI

• Anytime Anywhere Bill Payment

• Offer inter-operable bill payment services to

customers through a network of agents

Pre-Paid Instruments (PPIs) - E-

Wallets
• Facilitate transactions like purchase of goods and
services, including funds transfer, against the value
stored on such instruments

• Works on “ Pay Now-Use Later” principle

• 3 types of PPIs –

• Closed type (eg. Ola money)

• Semi-closed type (eg. Paytm)
• Open type (eg. Pre-paid cards issued by
banks)
• Can be issued by Banks and Non-Bank entities

112
2.2.10 Let’s us sum up

Core Banking Solutions enabled banks to offer their services through various
channels such as ATMs, White level ATMs Internet Banking, Phone Banking,
Mobile Banking etc. Through mobile banking, banks are offering various push
and pull services to their customers. Debit cards and Credit cards are the direct
outcome of Core Banking Solutions. Debit cards help customers to withdraw
money from any ATM at any time of a day. These cards are also useful in making
payments instantly on the websites for different purchases such as ticket
bookings, utility bill payments etc. They can be used at any merchant
establishments for making immediate payments against purchases. Credit cards
are similar to availing an overdraft facility from a bank. A cardholder can make
payments for purchases made within a month’s time although actual payments
are made by a card issuing bank to a merchant instantly, on behalf of a customer.
Co-operative banks are not authorized to issue credit cards directly or indirectly.

113
Other Digital Payment system are – UPI, BHIM,*99#, Bharat QR, NACH, AEPS,
ABPS/DBT, BBPS, Prepaid E-wallets

2.2.11 Key Words

CBS, ATM, Phone Banking, SMS Banking, Internet Banking, Credit Cards, Debit
Cards, Pre paid Cards, UPI,BHIM,*99#,Bharat QR,NACH,AEPS,ABPS/DBT,
BBPS, Prepaid E-wallets

2.2.12 Check your progress- Questions

Fill in the blanks / Multiple choice questions

1. ATM stands for --------------------

2. NFS stands for ------------------

3. NPCI stands for ---------------

4. POS stands for ---------

5. Which one of the following transactions is not allowed using an ATM

connected to NFS network?

a. Balance enquiry b. Withdrawal of Cash

c. Generating a mini statement d. Deposit of cash

6. Which one of the following transactions cannot be performed through the

Internet?

a. Transfer of funds b. Payment of utility bills

c. Balance enquiry d. Withdrawal of cash

Answers

1. Automated Teller 2. National Financial 3. National Payment

Machine Switch Corporation of India
4. Point of Sale 5. d 6.d

2.2.13 Terminal questions

 What are the different delivery channels available to customers in India

for carrying out banking transactions?

114
 Internet Banking would be a virtual Credit Card or a virtual Debit card. Do
you agree? Elaborate.
 What are the Digital payment systems introduced by NPCI?

115
2.3 Lesson No. 3 Inter Bank Payments

2.3.1 Objectives
2.3.2 RTGS and FAQ on RTGS
2.3.3 National Electronic Funds Transfer and FAQ on NEFT
2.3.4 IMPS and FAQ on IMPS
2.3.5 Negotiated Settlement System
2.3.6 Let us sum up
2.3.7 Key words
2.3.8 Check your progress-questions
Key to Check your progress
2.3.9 Terminal questions

116
2.3.1 Objectives

The objectives of this lesson are to understand Different electronic payment

systems and procedures between banks

2.3.2 Real Time Gross Settlement System (RTGS)

RTGS means continuous (real-time) settlement of fund transfers individually on

an order by order basis (without netting). 'Real Time' means the processing of
instructions at a time as they are received rather than later. 'Gross Settlement'
means the settlement of funds transfer instructions occurs individually (on an
instruction by instruction basis). Immediately after a transaction is initiated by
one Bank for transfer of funds to another account of a different Bank, In the
Books of RBI, respective Banks’ accounts are debited and credited and hence they
are settled. Since the funds settlement takes place in the books of the Reserve
Bank of India, the payments are final and irrevocable.

The remitting customer has to furnish the following information to a bank for
affecting a RTGS remittance:

 Amount to be remitted
 Remitting customer’s account number which is to be debited
 Name of the beneficiary bank
 Name of the beneficiary customer
 Account number of the beneficiary customer
 Sender to receiver information, if any
The IFSC Number of the receiving branch (The beneficiary customer can obtain
the IFSC code from his/her bank branch. The IFSC code is also available on the
cheque leaf or in the front page of a passbook issued by a bank.) The IFSC code is
also available on the RBI website at URL
(http://rbidocs.rbi.org.in/rdocs/RTGS/DOCs/RTGEB1110.xls). This code
number and bank branch details can be communicated by the beneficiary to a
remitting customer.

RTGS system is primarily meant for large value transactions. The minimum
amount to be remitted through RTGS is Rs. 2 lakh. There is no upper ceiling for
RTGS transactions.

Under normal circumstances the beneficiary branches are expected to receive

funds in real time as soon as funds are transferred by a remitting bank. The

117
beneficiary bank has to credit the beneficiary's account within two hours of
receiving the funds transfer message.

It is expected that a receiving bank will credit the account of a beneficiary

instantly. If the money cannot be credited for any reason, the receiving bank
would have to return the money to the remitting bank within 2 hours. Once the
money is received back by the remitting bank, the original debit entry in the
customer's account is reversed. The remitting bank receives a message from the
Reserve Bank that money has been credited to the receiving bank. Based on this,
the remitting bank can advise to the remitting customer that money has been
delivered to the receiving bank.

RTGS is available 24x7x365 with effect from December 14, 2020.

Most of the Banks providing internet banking to the customers have enabled
RTGS transactions on the Internet. Customers need not go to a branch for
effecting transfer of funds. With a click of button, customers can transfer funds
under RTGS. RTGS is provided by all the scheduled commercial Banks as well as
by the Scheduled Co-op Banks. Other non-scheduled co-op Banks have been
providing it by becoming the sub-members of Member Banks.

Funds, received by a RTGS member for the credit to a beneficiary customer’s

account, will be returned to the originating RTGS member within one hour of the
receipt of the payment at the PI of the recipient bank or before the end of the
RTGS Business day, whichever is earlier, if it is not possible to credit the funds to
the beneficiary customer’s account for any reason e.g. account does not exist,
account frozen, etc. Once the money is received back by the remitting bank, the
original debit entry in the customer's account is reversed.

FAQs on RTGS
[as sourced from RBI website]

1. What does RTGS stand for?

Ans. The acronym 'RTGS' stands for Real Time Gross Settlement, which can be
explained as a system where there is continuous and real-time settlement of
fund-transfers, individually on a transaction by transaction basis (without
netting). 'Real Time' means the processing of instructions at the time they are
received; 'Gross Settlement' means that the settlement of funds transfer
instructions occurs individually.

2. Are the payments under RTGS final and irrevocable?

Considering that the funds settlement takes place in the books of the Reserve

118
Bank of India, the payments are final and irrevocable.

3. What are the benefits of using RTGS?

Ans. RTGS offers many advantages over the other modes of funds transfer:

 It is a safe and secure system for funds transfer.

 RTGS transactions / transfers have no amount cap.
 The system is available on all days on 24x7x365 basis. There is real time
transfer of funds to the beneficiary account.
 The remitter need not use a physical cheque or a demand draft.
 The beneficiary need not visit a bank branch for depositing the paper
instruments.
 The beneficiary need not be apprehensive about loss / theft of physical
instruments or the likelihood of fraudulent encashment thereof.
 Remitter can initiate the remittances from his / her home / place of work
using internet banking, if his / her bank offers such service.
 The transaction charges have been capped by RBI.
 The transaction has legal backing.

4. How is the processing of RTGS different from that of National

Electronic Funds Transfer (NEFT) System?

Ans. NEFT is an electronic fund transfer system in which the transactions

received up to a particular time are processed in batches. Contrary to this, in
RTGS, the transactions are processed continuously on a transaction by
transaction basis throughout the day.

5. Is RTGS a 24x7 system or are there some timings applicable?

Ans. RTGS is available 24x7x365 with effect from December 14, 2020.

6. Is there any minimum / maximum amount stipulation for RTGS

transactions?

Ans. The RTGS system is primarily meant for large value transactions. The
minimum amount to be remitted through RTGS is ₹ 2,00, 000/- with no upper
or maximum ceiling.

7. What about processing charges / service charges for RTGS

transactions?

Ans. With effect from July 01, 2019, the Reserve Bank has waived the processing
charges levied by it for RTGS transactions. Banks may pass on the benefit to its
customers.

With a view to rationalise the service charges levied by banks for offering funds

119
 transfer through RTGS system, a broad framework of charges has been mandated
as under:

a) Inward transactions – Free, no charge to be levied.

b) Outward transactions – ₹ 2,00,000/- to 5,00,000/- : not exceeding ₹ 24.50/-;

(exclusive of tax, if any)

Above ₹ 5, 00,000/- : not exceeding ₹ 49.50/-. (exclusive of tax, if any)

Banks may decide to charge a lower rate but cannot charge more than the rates
prescribed by RBI.

Our Circular Ref. No. DPSS (CO) RPPD No.1140/04.03.01/2019-20 dated

December 16, 2019 on ‘Furthering Digital Payments – Waiver of Charges
– NEFT System’ (available
at https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=11756&Mode=0)
may be referred to for further details.

8. What is the essential information that the remitting customer

needs to furnish to the bank for making a remittance?

Ans. The remitting customer has to furnish the following information to a bank
for initiating an RTGS remittance:

i. Amount to be remitted
ii. The account number to be debited
iii. Name of the beneficiary bank and branch
iv. The IFSC number of the receiving branch
v. Name of the beneficiary customer
vi. Account number of the beneficiary customer
vii. Sender to receiver information, if any

9. How would one know the IFSC number of the receiving branch?

Ans. The IFSC number can be obtained by the remitter (customer) from his / her
bank branch. Alternatively, it is available on the cheque leaf of the beneficiary.
This code number / bank branch information can be communicated by the
beneficiary to the remitting customer. The list of IFSCs is also available on the
RBI website at the
link http://rbidocs.rbi.org.in/rdocs/RTGS/DOCs/RTGEB0815.xlsx

10. Do all bank branches in India provide RTGS service? How can a
remitting customer know whether the bank branch of the beneficiary
accepts remittance through RTGS?

Ans. For a funds transfer to go through RTGS, both the sending bank branch and

120
the receiving bank branch need to be RTGS enabled. Presently, there are more
than 1,65,000 RTGS enabled bank branches, the list of which is available on the
RBI website at the
link http://rbidocs.rbi.org.in/rdocs/RTGS/DOCs/RTGEB0815.xlsx

11. What care should be taken while originating an RTGS transaction?

Ans. The following should be ensured while putting through a funds transfer
transaction using RTGS –

Originating and destination bank branches are part of the RTGS network.
Beneficiary details such as beneficiary name, account number and account type,
name and IFSC of the beneficiary bank branch should be available with the
remitter.

Extreme care should be exercised in providing the account number of the

beneficiary, as, during processing RTGS transactions, the credit will be given to
the customer’s account solely based on the account number provided in the RTGS
remittance instruction / message.

12. In RTGS, why is credit to the beneficiary given solely based on

account number?

Ans. Transactions in RTGS happen in real time and it is not possible to match
name and account number before affording credit to the beneficiary. Since name
in the Indian context is spelt differently and would not really match with that
available with the beneficiary bank, the process of affording credit solely based on
the account number of the beneficiary has been enabled.

Our Circular Ref. No. DPSS (CO) EPPD No. / 863 / 04.03.01 / 2010-11 dated
October 14, 2010 on ‘Electronic payment products – Processing inward
transactions based solely on account number information’ (available
at https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=6043&Mode=0)
may be referred to for further details.

13. What is the time taken for effecting funds transfer from one
account to another through RTGS?

Ans. Under normal circumstances, the beneficiary branches are expected to

receive the funds in real time as soon as funds are transferred by the remitting
bank. The beneficiary bank must credit the beneficiary's account within 30
minutes of receiving the funds transfer message.

14. Can a remitting customer initiate a transaction for a future date?

Ans. No, the RTGS system does not accept future value dated transactions.

121
15. Can a transaction be originated to draw (receive) funds from
another account?

Ans. No. RTGS is a credit-push system i.e., transactions can be originated by the
payer / remitter / sender only to pay / transfer / remit funds to a beneficiary.

16. Can an RTGS transaction be tracked? Would the remitting

customer receive an acknowledgement of money credited to the
beneficiary's account?

Ans. While the customers do not have the facility to track the transaction, the RBI
has implemented the feature of positive confirmation in an RTGS transaction.
Under this, the remitting bank would receive a message from RBI (through the
beneficiary bank) that the money has been credited to the beneficiary bank /
customer account. Based on this, the remitting bank should advise the remitting
customer that money has been credited to the receiving bank’s beneficiary
account.

17. Would the remitting customer get back the money if it is not
credited to the beneficiary's account? Is there any time frame
prescribed for it?

Ans. Yes, if it is not possible to credit the funds to the beneficiary customer’s
account for any reason, the funds received by the RTGS member bank will be
returned to the originating bank within one hour of receipt of the payment at the
Payment Interface (PI) or before the end of the RTGS Business day, whichever is
earlier. Once the money is received back by the remitting bank, the original debit
entry in the customer's account needs to be reversed.

18. Is a customer eligible to get compensation for delay in returning

the payment?

Ans. In case of any delay in returning the failed payment, the originating
customer is eligible to receive compensation at current repo rate plus 2%.

19. Whom can a customer contact, in case of non-credit or delay in

credit to the beneficiary account?

Ans. The customer can contact his / her bank / branch if there is an issue of delay
/ non-credit to the beneficiary account. If the issue is not resolved satisfactorily,
complaint may be lodged at email or by post at following address giving UTR
number and details of the issue -

The Chief General Manager

Customer Education and Protection Department
1st Floor, Amar Building
Reserve Bank of India

122
SBS Road, Fort
Mumbai – 400 001

20. What is UTR number?

Ans. Unique Transaction Reference (UTR) number is a 22 character code used to

uniquely identify a transaction in RTGS system.

21. What is LEI and what is its purpose?

Ans. The Legal Entity Identifier (LEI) is a 20-digit number used to uniquely
identify parties to financial transactions worldwide. It has been implemented to
improve the quality and accuracy of financial data reporting systems for better
risk management. It is used to create a global reference data system that uniquely
identifies every legal entity in any jurisdiction that is party to a financial
transaction. It can be obtained from any of the Local Operating Units (LOUs)
accredited by the Global Legal Entity Identifier Foundation (GLEIF), the body
tasked to support the implementation and use of LEI. In India, LEI can be
obtained from Legal Entity Identifier India Ltd. (LEIL) (https://www.ccilindia-
lei.co.in), which is also recognised as an issuer of LEI by the Reserve Bank.

22. Which RTGS transactions should include LEI information?

Ans. All payment transactions of value ₹50 crore and above undertaken by
entities (non-individuals) should include remitter and beneficiary LEI
information from April 1, 2021. Banks should use the ‘Remittance Information’
field for recording Remitter and Beneficiary LEI.

23. Is LEI required for individual customer transactions?

Ans. No, LEI is not required for customer transactions where both remitter and
beneficiary are individuals.

These FAQs are issued by the Reserve Bank of India for information and
general guidance purposes only. The Bank will not be held responsible for
actions taken and/or decisions made on the basis of the same. For clarifications
or interpretations, if any, one may be guided by the relevant circulars and
notifications issued from time to time by the Bank.

2.3.3 National Electronic Fund Transfer (NEFT)

National Electronic Funds Transfer (NEFT) is a nation-wide centralized payment

system owned and operated by the Reserve Bank of India (RBI).

123
The NEFT system is available round the clock throughout the year on all days,
i.e., on 24x7x365 basis. NEFT presently operates in batches on half-hourly
intervals throughout the day. In case of non-availability of NEFT for any reason,
appropriate message will be broadcasted by RBI to all system participants.

The outbound remittances through NEFT system are permitted only to Nepal
under Indo-Nepal Remittance Scheme. Under this scheme, the remitter can
transfer funds from any of the NEFT-enabled bank branches in India to Nepal,
irrespective of whether the beneficiary in Nepal maintains an account with a bank
branch in Nepal or not. The beneficiary would receive funds in Nepalese Rupees.

With effect from January 01, 2020, banks have been advised by RBI to not levy
any charges from their savings bank account holders for NEFT funds transfers
initiated online.

FAQs on NEFT
(as sourced from RBI Website)

1. What is National Electronic Funds Transfer (NEFT) system?

Ans: National Electronic Funds Transfer (NEFT) is a nation-wide centralized

payment system owned and operated by the Reserve Bank of India (RBI). The set
of procedures to be followed by various stakeholders participating in the system
is available on the RBI website under the following link:

https://rbidocs.rbi.org.in/rdocs/Content/PDFs/NEFPG300411.pdf

2. What are the advantages of using NEFT system?

Ans: NEFT offers the following advantages for funds transfer or receipt:

 Round the clock availability on all days of the year.

 Near-real-time funds transfer to the beneficiary account and settlement in
a secure manner.
 Pan-India coverage through large network of branches of all types of
banks.
 Positive confirmation to the remitter by SMS / e-mail on credit to
beneficiary account.

124
  Penal interest provision for delay in credit or return of transactions.
 No levy of charges by RBI from banks.
 No charges to savings bank account customers for online NEFT
transactions.
 Besides funds transfer, NEFT system can be used for a variety of
transactions including payment of credit card dues to the card issuing
banks, payment of loan EMI, inward foreign exchange remittances, etc.
 Available for one-way funds transfers from India to Nepal.

3. How does the NEFT system operate?

Ans: Following is the step-wise flow of NEFT transaction.

Step-1: An individual / firm / corporate willing to transfer funds through NEFT

can use the internet/mobile banking facility offered by his/her bank for initiating
online funds transfer request. The remitter has to provide details of beneficiary
such as, name of the beneficiary, name of the bank branch where the beneficiary
has an account, IFSC of the beneficiary bank branch, account type and account
number, etc. for addition of the beneficiary to his/her internet/mobile banking
module. Upon successful beneficiary addition, the remitter can initiate online
NEFT funds transfer by authorizing debit to his/her account. Alternatively, the
remitter can also visit his/her bank branch for initiating NEFT funds transfer
through branch/off-line mode. The customer has to fill-in the beneficiary details
in NEFT application form available at the bank branch and authorize the branch
to debit to his/her account to the extent of the amount requested in NEFT
application form.

Step-2: The originating bank prepares a message and sends the message to its
pooling centre, also called the NEFT Service Centre.

Step-3: The pooling centre forwards the message to the NEFT Clearing Centre,
operated by the RBI, to be included for the next available batch.

Step-4: The Clearing Centre sorts the funds transfer transactions beneficiary
bank-wise and prepares accounting entries to receive funds from the originating
banks (debit) and give the funds to the beneficiary banks (credit). Thereafter,
bank-wise remittance messages are forwarded to the beneficiary banks through
their pooling centre (NEFT Service Centre).

Step-5: The beneficiary banks receive the inward remittance messages from the
Clearing Centre and pass on the credit to the beneficiary customers’ accounts.

4. What is Indian Financial System Code (IFSC)?

Ans: IFSC or Indian Financial System Code is an alpha-numeric code that

uniquely identifies a bank-branch participating in the NEFT system. It’s a 11-digit
code with the first 4 alpha characters representing the bank, and the last 6

125
characters representing the branch. The 5th character is 0 (zero). IFSC is used by
the NEFT system to identify the originating / destination banks / branches and
also to route the messages appropriately to the concerned banks / branches.

5. How can I find the IFSC of a bank-branch?

Ans: Bank-wise list of IFSCs is available with all the bank-branches participating
in NEFT scheme. List of bank-wise branches participating in NEFT and their
IFSCs is also available on the website of RBI
at https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=2009. All member
banks have also been advised to print the IFSC of the branch on cheques issued to
their customers.

6. Who can avail NEFT system for fund transfer / receipt?

Ans: Individuals, firms and corporates maintaining accounts with any member
bank, participating in the NEFT system, can electronically transfer funds to any
individual, firm or corporate having an account with any other bank in the
country participating in the NEFT system.

The list of bank-wise branches participating in NEFT is available on the website

of RBI at http://www.rbi.org.in/scripts/neft.aspx

7. Is there any limit on funds / amount to be remitted through NEFT

system?

Ans: No, there is no limit imposed by the RBI for funds transfer through NEFT
system. However, banks may place amount limits based on their own risk
perception with the approval of its Board.

8. Can the NEFT system be used for remitting funds even by those
who do not have a bank account?

Ans: Yes, the person having no bank account can remit funds through NEFT to a
beneficiary having a bank account, with another NEFT member bank. It can be
done by depositing cash at the nearest NEFT enabled branch of any bank, by
furnishing additional details such as complete address, telephone number, etc.
Such cash remittances will, however, be restricted to a maximum of ₹ 50,000/-
per transaction.

9. Can I send funds to my relative / friend residing abroad through

NEFT system?

Ans: The outbound remittances through NEFT system are permitted only to
Nepal under Indo-Nepal Remittance Scheme. Under this scheme, the remitter
can transfer funds from any of the NEFT-enabled bank branches in India to
Nepal, irrespective of whether the beneficiary in Nepal maintains an account with

126
a bank branch in Nepal or not. The beneficiary would receive funds in Nepalese
Rupees. The details of the Indo-Nepal Remittance Facility Scheme are available
on the website of RBI at https://rbi.org.in/scripts/FAQView.aspx?Id=67

10. What are the operating hours of NEFT?

Ans: The NEFT system is available round the clock throughout the year on all
days, i.e., on 24x7x365 basis. NEFT presently operates in batches on half-hourly
intervals throughout the day. In case of non-availability of NEFT for any reason,
appropriate message will be broadcasted by RBI to all system participants.

11. What are the essential details required for remitting funds
through NEFT system?

Ans: The essential elements of beneficiary's identification are:

Beneficiary's Name
Beneficiary's Branch Name
Beneficiary's Bank Name
Beneficiary's Account Type
Beneficiary's Account No.
Beneficiary's Branch IFSC

12. What are the customer charges levied by bank for NEFT
transactions?

Ans: The RBI does not levy any charges from member banks for NEFT
transactions. Also, there are no charges to be levied for Inward transactions at
destination bank branches for giving credit to beneficiary accounts.

For outward transactions, the maximum charges that bank can levy from their
customer for NEFT transaction are as follows:

a) With effect from January 01, 2020, banks have been advised to not levy any
charges from their savings bank account holders for NEFT funds transfers
initiated online.

b) Maximum charges which can be levied for outward transactions at originating

bank for other transactions –

- For transactions up to ₹ 10,000: not exceeding ₹ 2.50 (+ Applicable GST)

- For transactions above ₹ 10,000 up to ₹ 1 lakh: not exceeding ₹ 5 (+ Applicable

GST)

- For transactions above ₹ 1 lakh and up to ₹ 2 lakhs: not exceeding ₹ 15 (+

Applicable GST)

127
- For transactions above ₹ 2 lakhs: not exceeding ₹ 25 (+ Applicable GST)

c) The details about Charges applicable for transferring funds from India to
Nepal using the NEFT system under the Indo-Nepal Remittance Facility Scheme
is available on the website of RBI
at https://rbi.org.in/scripts/FAQView.aspx?Id=67

13. Can I use NEFT to transfer funds from / to NRE and NRO
accounts?

Ans: Yes, NEFT can be used to transfer funds from / to NRE and NRO accounts
in the country. This, however, is subject to the adherence of the provisions of the
Foreign Exchange Management Act, 2000 (FEMA) and Wire Transfer
Guidelines.

14. Can I originate a NEFT transaction to draw / receive funds from

another account?

Ans: No. NEFT is a credit-push system i.e., transactions can be originated by the
payer / remitter / sender only to pay / transfer / remit funds to beneficiary.

15. How can I track status of NEFT transactions initiated? Who should
be approached to know status of the NEFT transaction?

Ans: The remitter and the beneficiary can track status of NEFT transaction by
contacting NEFT Customer Facilitation Centre (CFC) of their bank, respectively.
Details of NEFT Customer Facilitation Centre of banks are available on the
websites of the respective banks. The details of Customer Facilitation Centre of
member banks are also available on the website of RBI
at https://www.rbi.org.in/Scripts/bs_viewcontent.aspx?Id=2070

For the purpose of faster tracking of transaction, you need to provide few details
related to transaction such as Unique Transaction Reference (UTR) number /
transaction reference number, date of transaction, etc., to your bank.

16. What is the Help Desk / Contact point at the RBI?

Ans: You may approach NEFT Help Desk / Contact point of the RBI at following
address:

The NEFT Help Desk (or Customer Facilitation Centre of RBI), Primary Data
Centre (PDC), RBI, CBD Belapur, Navi Mumbai, Maharashtra- 410210.

17. How much time should I expect for receipt of funds by

beneficiary?

128
Ans: You may expect timeline of two hours from the batch settlement within
which beneficiary’s account should be credited.

18. What happens if funds are not credited to the beneficiary? Or Do I

get my money back, if funds are not credited to the beneficiary due to
various reasons?

Ans: If it is not possible to afford credit to the account of the beneficiary for any
reason, destination banks are required to return the transaction (to the
originating branch) within two hours of completion of the batch in which the
transaction was processed.

19. What are the penalties / compensation for delayed credit or return
of funds by beneficiary bank?

Ans: If the NEFT transaction is not credited or returned within two hours after
batch settlement, then the bank is liable to pay penal interest to the affected
customer at the current RBI LAF Repo Rate plus two percent for the period of
delay / till the date of credit or refund, as the case may be, is afforded to the
customers’ account without waiting for a specific claim to be lodged by the
customer in this regard.

20. What happens if I write wrong account number of beneficiary?

Ans: The credit is given to the account number written / given by remitter in his
/ her application / instruction. Credit to beneficiary account is released solely
based on account number. It is the responsibility of remitting customer to write
correct account number. The originator / sender should exercise due care in
providing the correct account number of the beneficiary, in the NEFT
remittance instruction / application.

21. Whom should I approach for raising dispute/complaint related to

NEFT transaction?

Ans: You may approach grievance redressal cell of your bank with details of the
disputed transaction. In case your grievance is not resolved within 30 days, you
may approach the Banking Ombudsman under the RBI Banking Ombudsman
Scheme, 2006. The contact details of BO along with the area of operation are
available on the RBI website
at https://rbi.org.in/Scripts/AboutUsDisplay.aspx?pg=BankingOmbudsmen.htm

129
NEFT & RTGS Compared

RTGS NEFT
Only transactions over Rs. 2 lakh are No restriction on the amount
allowed

Settlement is on real time basis. Transactions are settled in batches.

Immediately after a transaction is
done respective banks involved are
debited and credited in RBI books.
Hence the settlement is gross
settlement.
Batch is processed after every half an
hour. Hence settlement is done on net
transaction basis. The total credit
received by a Bank and total debits for
the messages sent by that Bank are
considered and the net amount is
debited or credited.

2.3.4 What is IMPS

IMPS is an innovative real time payment service that is available round the clock.
This service is offered by National Payments Corporation of India (NPCI) that
empowers customers to transfer money instantly through banks and RBI
authorized Prepaid Payment Instrument Issuers (PPI) across India.

IMPS FAQ`s

1. What is IMPS?

IMPS is an innovative real time payment service that is available round the clock.
This service is offered by National Payments Corporation of India (NPCI) that
empowers customers to transfer money instantly through banks and RBI
authorized Prepaid Payment Instrument Issuers (PPI) across India.

2. What are the benefits of IMPS?

Mobile/ Internet /

Remittances

1. Sending Money
Ticketing o
Credit Card bills o Utility bills o Online shopping o School & College fees o
Mobile top ups & DTH recharge

130
NUUP (National Unified USSD Platform) is a USSD based mobile banking
service from NPCI that brings together all the Banks and Telecom Service
Providers. In NUUP, a customer can access banking services by just pressing
*99# from his/her mobile phones. This service works across all GSM mobile
handsets.

QSAM (Query Service on Aadhaar Mapper) – This service helps user in knowing
their Aadhaar Seeding status with their bank account.
This service can be availed by dialling *99*99#. o User will know whether his/her
AADHAAR number is seeded/linked to any bank account number or not. o If yes,
then with which bank and when it was last updated

4. How do I get IMPS enabled?

Sender-
The customer has to do the Mobile Banking Registration if he/she wants to
initiate the transaction through mobile channel. For internet, ATM and bank
branch channels, mobile registration is not required.
Receiver-
Collect his/her MMID from bank and share with sender or alternatively share
his/her Account number & IFS code or Aadhaar number for receiving money.
The receiver can register his/her mobile no. for getting SMS alerts for
transactions.

5. How do I transfer funds using IMPS?

- -
SMS - -By
Using ATM Card at Banks ATM

-PIN
Both sender & receiver get SMS confirmation.

6. Does the customer need to register to remit the funds through IMPS?

For using IMPS on mobile phones, a customer will have to register for mobile
banking with his/her individual bank. However, for initiating IMPS using Bank
branch, Internet banking and ATM channels, no prior Mobile banking
registration is required.

7. Does the customer need to have a bank account for availing IMPS?

Both banked as well as un-banked customer can avail IMPS. However, unbanked
customer can initiate IMPS transaction using the services of Pre-Paid Payments
instrument issuer (PPI).

131
8. Can a customer link more than one account to the same mobile number?

Yes, customer can link more than one account to the same mobile number.
However each A/C no. will have different MMID.

9. Is the beneficiary customer also required to register for IMPS?

No need for registration, if receiving money using bank account details or

Aadhaar Number. However, for receiving money using Mobile no. & MMID,
Mobile registration is mandatory.

10. What is MMID? How do I get this Issued?

Mobile Money Identifier is a 7 digit number, issued by banks. MMID is one of the
input which when clubbed with mobile number facilitates fund transfer.
Combination of Mobile no. & MMID is uniquely linked with an Account number
and helps in identifying the beneficiary details. Different MMID’s can be linked to
same Mobile Number. (Please contact your bank for getting the MMID issued)

11. What are the options available for a customer for doing IMPS transaction?
• Using Beneficiary Mobile no. and MMID
• Using Beneficiary Account no. and IFS Code
• Using Beneficiary Aadhaar Number

12. Who all are offering IMPS?

Banks and non-bank entities (RBI authorized PPI’s) are offering IMPS to the
customers across India. List of member banks and PPIs providing the IMPS
services is available on http://www.npci.org.in/bankmember.aspx

13. What happens if my mobile phone is lost?

Customers need to inform their banks and deactivate their Mobile banking
services.

14. Is the facility of Stop payments is available on IMPS?

No, IMPS is an immediate fund transfer service, after initiating the payment
request payment cannot be stopped or cancelled.

15. If I change my Mobile no., do I again need to register for Mobile Banking?

Yes, customer needs to update their new mobile number with their banks.

16. If I change my Telecom service provider, do I need to register again?

132
No need for re-registration if there is no change in mobile no., Registration is
only requested if there is a change in mobile number only.

17. What are the timings for initiating and receiving IMPS remittances?

IMPS transactions can be sent and received 24X7, (round the clock), including on
holidays.

18. Where do I register a complaint with reference to the IMPS transaction?

Customer can log IMPS complaint with their respective banks.

19. What are the charges for the customer for sending and receiving remittances
using IMPS?

The charges for remittance through IMPS are decided by the individual member
banks and PPIs. Please check with your bank or PPI.
2.3.5 Negotiated dealing system

The system is developed for electronic trading in Government securities

transactions. The system is in operation since Feb 2002. It facilitates the
submission of bids/applications for auctions/floatation of govt. securities
through pooled terminal facility located at Regional Offices of Public Debt Offices
across the country and through member terminals. The system can be used for
daily Repo and Reverse Repo auctions under Liquidity Adjustment Facility.

Members Banks, Primary Dealers and Financial Institutions having Subsidiary

General Ledger and Current Accounts with RBI are eligible to become
members. System handles following types of Instruments: Govt. dated securities,
Treasury Bills, Re-purchase Agreements (Repos), call/notice/term money,
commercial paper, certificate of deposit, forward rate agreements/interest rate
swaps, etc.

RBI operates the system and it is integrated with Securities Settlement System of
Public Debt Office (PDO) of RBI to facilitate settlement of deals done in govt.
securities and treasury bills. It facilitates dissemination of information relating to
primary issuance through auction/sale on tap and underwriting, apart from
secondary market trade details to participants.

2.3.6 Let us sum up

RTGS is a Real Time Gross Settlement System initiated by the Reserve Bank of
India to transfer funds on order-by-order basis. Gross settlements means funds
transfer happen individually on instruction by instruction basis. While
transferring funds through RTGS the remitting customer has to provide various

133
details of beneficiary customer such as beneficiary account number, IFSC code,
Branch and Bank details etc. RTGS is meant for large value transactions of above
Rs. 2 lacs. NEFT is National Electronic Fund Transfer System used between
financial institutions, which was started in 2005. There is no limit on the value of
funds transferred in NEFT. In NEFT the transactions are settled in batches of two
hours and hence the settlement is on net basis. NEFT uses a concept of
centralized accounting system. It is developed for electronic trading in
Government securities transactions and has been operational since Feb 2002.

2.3.7 Key Words

RTGS, NEFT, IMPS, NDS, RBI, IFSC

2.3.8 Check your progress Questions

1. RTGS means ------

2. NEFT mean -----

3. IMPS mean -----

4. NDS is the system used by Banks for

a. For trading in Government b. For trading in Stocks and

Securities by Banks shares of listed companies
c. For trading in commercial d. For trading Certificate of
papers issued by corporates Deposits issued by Banks

5. Separate IFSC code is given by RBI to

a. Every Bank participating in b. Every branch of the bank

RTGS /NEFT participating in RTGS/NEFT
c. Every Customer who wishes to d. No such number is required for
do RTGS/NEFT transaction participating in RTGS/NEFT

6. Minimum limit per transaction in case of RTGS is:

a. Rs. 20.00 Lakh b. Rs. 5.00 Lakh

c. Rs. 2.00 Lakh d. No such limit is stipulated

Key to questions asked

1. Real Time Gross 2. National Electronic 3. Immediate

134
Settlement System Fund Transfer Payment System
4.a 5.b 6.c

2.3.9 Terminal questions

 What are the differences between RTGS and NEFT?

 What are the features of Negotiated Dealing System?
 What is IMPS?

135
2.4 Lesson No. 4 E-commerce

2.4.1 Objectives
2.4.2 E-commerce
2.4.3 Types of E-commerce
2.4.4 Benefits of E-commerce
2.4.5 Disadvantages of E-commerce
2.4.6 Components of E-commerce
2.4.7 Payment Gate ways
2.4.8 Types of Payment Gateways
2.4.9. Authentication of Payment
2.4.10 Let us sum up
2.4.11 Key words
2.4.12 Check your progress- questions
Key to questions asked
2.4.13 Terminal questions

136
2.4.1 Objectives

The objectives of this lesson are to understand

 The use of Information Technology in commerce and trade

 Types of E-commerce, Secure Electronic Transfer, Payment Gateways,
Authentication of payments
2.4.2 E-commerce

Web Technology has opened up new opportunities for doing business in the
world. It has created alternatives for traditional form of business through shops
and malls during specific business hours. It has multiplied opportunities for
offering goods and services to customers through the use of technology. In real
life, one would find it easy not only to book a cinema ticket but also select a seat
in a cinema hall. One need not stand in a queue for a ticket in a cinema hall. For
travel purposes, one can book a ticket for any mode of transportation – bus, air,
railway and also have a room booked in a hotel of one’s choice. In short,
technology has totally changed the rules of doing business.

E-commerce is electronic commerce. It means buying and selling goods, services

and information through a medium of Internet. Transacting or facilitating
business on the Internet is called E-commerce. Popular examples of E-commerce
revolve around buying and selling online. But the E-commerce universe contains
other types of activities as well. Any form of business transaction conducted
electronically is fall in the gamut of E-commerce. Electronic commerce draws on
such technologies as electronic funds transfer, supply chain
management, Internet marketing, online transaction processing, Electronic Data
Interchange (EDI), inventory management systems, and automated data
collection systems.

Business models across the world also continue to change drastically with the
advent of E-commerce and this change is not just restricted to USA. Other
countries are also contributing to the growth of E-commerce. For example, the
United Kingdom has the biggest E-commerce market in the world when
measured by the amount spent per capita, even higher than the USA.
The internet economy in UK is likely to grow by 10% between 2010 to 2015.

Amongst emerging economies, China's E-commerce presence continues to

expand. With 384 million internet users, China's online shopping sales rose to
$36.6 billion in 2009 and one of the reasons behind the huge growth has been
the improved trust level for shoppers. E-commerce is also expanding across the
Middle East. Having recorded the world’s fastest growth in internet usage

137
between 2000 and 2009, the region is now home to more than 60 million
internet users. Retail, travel and gaming are the region’s top E-commerce
segments, in spite of difficulties such as the lack of region-wide legal frameworks
and logistical problems in cross-border transportation. E-commerce has become
an important tool for businesses worldwide not only to sell to customers but also
to engage them.

Examples of E-commerce

Online shopping

Buying and selling goods on the Internet is one of the most popular examples of
E-commerce. Sellers create front end that is similar to shops and stores that exist
in brick and mortar buildings. Buyers browse and purchase products with mouse
clicks. Though Amazon.com is not the pioneer of online shopping, it is arguably
the most famous online shopping destination. In India, flipkart.com is well
known.

Online auctions

An auction is one of the ways of selling goods and services. In Banks, for recovery
purpose, mortgaged property is auctioned to get the buyer who would buy it for
highest price over and above a bid price. Auctions are also seen in cases where the
goods are antique pieces or pieces used by celebrities or renowned personalities.
Through E-commerce, it is now possible to auction all kinds of goods- brand new
goods as well as used goods. When you think online auction, you think e-Bay. The
Internet has made auctions accessible to a large number of buyers and sellers.
Online auctions are an efficient mechanism for price discovery. Many buyers find
the auction shopping mechanism more interesting than regular storefront
shopping.

Internet banking

Internet Banking enables customers to avail all kinds of banking services except
receiving and depositing physical cash. The service can be availed as per
convenience of a customer at any time and from any place. Founder of Microsoft,
Mr. Bill Gates had said that customers need banking and not banks which has
been made possible by the internet.

Online ticketing

Air tickets, movie tickets, train tickets, play tickets, tickets of sporting events, and
just about any kind of tickets can be booked online. Online ticketing does away
the need of a queue at ticket counters.

138
Online trading

Individuals and institutions can do trading in shares, commodities and bonds

electronically. Online, customers can monitor price movements on a screen and
can take the decisions of buying and selling.

2.4.3 Types of E-commerce

E-commerce can be classified based on the type of participants in the transaction:

 Business to Business (B2B): B2B E-commerce transactions are those

where both the transacting parties are representing businesses, e.g.,
manufacturers, traders, retailers and the like.
 Business to Consumer (B2C): When businesses sell electronically to
end-consumers, it is called B2C E-commerce.
 Consumer to Consumer (C2C): Some of the earliest transactions in
the global economic system involved barter -- a type of C2C transaction.
But C2C transactions were virtually non-existent in recent times until the
advent of E-commerce. Auction sites are a good example of C2C E-
commerce.
Specialized forms of E-commerce

On some platforms, E-commerce has shown the promise of explosive growth.

Two such examples are:

 M-commerce: M-commerce is short for "mobile commerce." The rapid

penetration of mobile devices with Internet access has opened new
avenues of E-commerce for retailers.
 F-commerce: F-commerce is the short of "Face book commerce." The
immense popularity of Face book provides a captive audience to transact
business.
2.4.4 Benefits of E-commerce

E-commerce has removed the geographic boundaries and time restrictions. It has
thus multiplied the choice for the customers for selecting the goods and services
from wide variety which one can choose by a click of mouse.

 Elimination of geographic boundaries: If you have a physical store,

you are limited by the geographical area that you can service. With an E-
commerce website, the whole world can access it.

139
  Search Engine: Customers can enter a word in a search engine site say,
Google and can see thousands of pages available to choose from.
 Lower Costs: Since a manufacturer can offer goods directly to a
customer, intermediary costs can be reduced to a great extent.
 Eliminate Travel Time and Cost: It is not unusual for customers to
travel long distances to reach their preferred physical store. E-commerce
allows them to visit the same store virtually, with a few mouse clicks.
 Provide Comparison Shopping: E-commerce facilitates comparison
shopping. There are several online services that allow customers to browse
multiple E-commerce merchants and find the best prices.
 Provide Abundant Information: There are limitations to the amount
of information that can be displayed in a physical store. It is difficult to
equip employees to respond to customers who require information across
product lines. E-commerce websites can provide additional information
which can be made easily available to customers. Most of this information
is provided by vendors, and does not cost anything to create or maintain.
Information is available only about product features, but also about the
experiences shared by users about product or about a vendor.
 Remain Open All the Time: Store timings are now 24/7/365. E-
commerce websites can run all the time. From the merchant's point of
view, this increases the number of orders they receive. From the
customer's point of view, an "always open" store is more convenient.
2.4.5 Disadvantage of E-commerce

Following are the disadvantage of E-commerce:

 It lacks personal touch: While dealing with a retailer in real life, we

witness that a rapport is developed between a buyer and a seller which
gives a comfort to buyer about the quality of goods being purchased. In
case of buying online, everything is impersonal.
 E-commerce delays goods: In most of the cases, it takes few days for
the merchant to deliver the goods to the customer. The issues are either
with the merchant himself for non-availability of goods in the godown or
with a courier company delivering the goods.
 Many goods cannot be purchased online: Despite its many
conveniences, there are goods that you cannot buy online. Most of these
would be in the categories of "perishable" or "odd-sized." Likewise, a
dining table set can certainly be purchased online. In some cases, the cost

140
 of logistics is bearable. But if you have to return the furniture, you will
experience the inconvenience of E-commerce.
 E-commerce does not allow you to experience the product
before purchase: One cannot touch the fabric of a garment of one wants
to buy it. You cannot check how the shoe feels on your feet. You cannot
check the electronic goods like TV or laptop.
 Authenticity of the merchant: We would not know the credibility of
the merchant offering the goods. In many cases, it would be difficult to
trace the physical location from where the merchant is operating for
resolving the disputes.
 Security: when making an online purchase, you have to provide at least
your credit card information and mailing address. In many cases, E-
commerce websites are able to harvest other information about your
online behavior and preferences. This could lead to credit card fraud, or
worse, identity theft.
E-commerce is certainly an alternative to the traditional form of commerce. But it
has yet to reach to a mature stage especially in the emerging economies and
underdeveloped countries. Robust legal and judiciary system to protect the
interest of both the parties and also the awareness and proper knowledge about it
would make E-commerce a reliable and preferred solution in the time to come.

2.4.6 Components of E-commerce

 Create a website that promotes your products;

 Obtain an Internet address;
 Hire space on a web-hosting company;
 Upload the pages giving information about product, company and other
related information useful for the buyer to take the decision;
 Add a payment system for facilitating the customers to pay online using
credit or debit card or internet banking account as per his/her choice ;
 Use various promotion services to get your site noticed;
Secure Electronic Transfer (SET) is a standard protocol for securing credit
card transactions over insecure networks, specifically, the Internet. SET was not
itself a payment system, but rather a set of security protocols and formats that
enable users to employ the existing credit card payment infrastructure on an
open network in a secure fashion.

141
SET was intended to become the de facto standard of payment method on the
Internet between the merchants, the buyers, and the credit-card companies.
Despite heavy publicity, it failed to win market share. Reasons for this include:

 Network effect - need to install client software (an e-wallet).

 Cost and complexity for merchants to offer support and comparatively low
cost and simplicity of the existing Secure Socket Layer based alternative.
 Client-side certificate distribution logistics
Key features of SET

 To meet the business requirements, SET incorporates the following

features:
 Confidentiality of information
 Integrity of data
 Cardholder account authentication
 Merchant authentication
A SET system includes the following participants:
 Cardholder
 Merchant
 Issuer
 Acquirer
 Payment gateway
 Certification authority
 The sequence of events required for a transaction is as follows:
 The customer obtains a credit card account with a bank that
supports electronic payment and SET
 The customer receives a X.509v3 digital certificate signed by the bank.
 Merchants have their own certificates
 The customer places an order from the merchant.
 The merchant sends the customer his/her public key and a copy of its
certificate so that the customer can verify that it's a valid store.
 The customer sends the merchant:
 His/her certificate.
 His/her order details encrypted with the merchant's public key
 His/her bank account details encrypted with the bank's public key.
 The merchant requests payment authorization by sending the bank:
 The payment details encrypted with the bank's public key.

142
  The customer's bank account details encrypted with the bank's public
key.
 The bank sends the merchant a confirmation with the merchant's public
key.
 The merchant sends to the client the response of the bank encrypted with
the client's public key.
 The merchant ships the goods or provides the service to the customer.
 The merchant send the bank a transaction request encrypted by the bank
public.
 The bank transfers the payment to the merchant.
SSL protocol is considered more secure and is now widely in use for secure
transactions.

2.4.7 Payment gateway

Payment gateway is an E-commerce application service provider that authorizes

payments for e-businesses, online retailers, bricks and clicks, or traditional brick
and mortar. It is the equivalent of a physical Point Of Sale (POS) terminal located
in most retail outlets. Payment gateways protect credit card details by encrypting
sensitive information, such as credit card numbers, to ensure that information is
passed securely between a customer and a merchant and also between merchant
and the payment processor.

A payment gateway is a service that authenticates and automates electronic

payments made by customers to E-commerce merchants. It allows E-commerce
merchants to accept credit cards on their websites.

A payment gateway is an interface between banks (or financial institutions),

customers and a merchant. It facilitates the transfer of money from a customer’s
account to a merchant's account.

A payment gateway facilitates the transfer of information between a payment

portal (such as a website, mobile phone or IVR service) and a Front End
Processor or acquiring bank. When a customer orders a product from a payment
gateway-enabled merchant, the payment gateway performs a variety of tasks to
process the transaction

 A customer places an order on a website by pressing the 'Submit Order' or

equivalent button, or perhaps enters his/her card details using an
automatic phone answering service.

143
 If the order is via a website, the customer's web browser encrypts the
information to be sent between the browser and the merchant's webserver.
This is done via SSL (Secure Socket Layer) encryption.
 The merchant then forwards the transaction details to their payment
gateway. This is another SSL encrypted connection to the payment server
hosted by the payment gateway.
 The payment gateway forwards the transaction information to
the payment processor used by the merchant's acquiring bank.
 The payment processor forwards the transaction information to the card
association (e.g., Visa/MasterCard)
 If an American Express or Discover Card was used, then the
processor acts as the issuing bank and directly provides a response of
approval or denial of a transaction to the payment gateway.
 Otherwise [e.g.: a MasterCard or Visa card was used], the card
association routes the transaction to the correct card issuing bank.
 The credit card issuing bank receives the authorization request and checks
balance in the account, updates balance in the account after passing
necessary accounting entries and then sends a response back to the
processor (via the same process as the request for authorization) with a
response code [e.g.: approved, denied]. In addition to communicating the
fate of the authorization request, the response code is used to define the
reason why the transaction failed (such as insufficient funds, or bank link
not available). Meanwhile, the credit card issuer holds an authorization
associated with that merchant and consumer for an approved amount.
This can impact the consumer's ability to further spend (e.g.: because it
reduces the line of credit available or because it puts a hold on a portion of
the funds in a debit account).
 The processor forwards the authorization response to the payment
gateway.
 The payment gateway receives the response, and forwards it on to the
website (or whatever interface was used to process the payment) where it
is interpreted as a relevant response then relayed back to the merchant
and cardholder. This is known as the Authorization or "Auth"
 The entire process typically takes 2–3 seconds.
 The merchant then fulfills the order and the above process is repeated but
this time to "Clear" the authorization by consummating the transaction.

144
 Typically the "Clear" is initiated only after the merchant has fulfilled the
transaction (e.g.: shipped the order). This results in the issuing bank
'clearing' the 'auth' (i.e.: moves auth-hold to a debit) and prepares them to
settle with the merchant acquiring bank.
 The merchant submits all their approved authorizations, in a "batch" (e.g.:
end of day), to their acquiring bank for settlement via its processor.
 The acquiring bank makes the batch settlement request of the credit card
issuer.
 The credit card issuer makes a settlement payment to the acquiring bank
(e.g.: the next day)
 The acquiring bank subsequently deposits the total of the approved funds
in to the merchant's nominated account (e.g.: the day after). This could be
an account with the acquiring bank if the merchant does their banking
with the same bank, or an account with another bank.
 The entire process from authorization to settlement to funding typically
takes 3 days.
Many payment gateways also provide tools to automatically screen orders for
fraud and calculate tax in real time prior to the authorization request being sent
to the processor.

2.4.8 Types of payment gateways

There are two primary types of payments based on the location of a transaction
processing code:

 Merchant Side API: In this type, the transaction processing code

resides on the E-commerce merchant's server, and accesses the payment
gateway by using an API (Application Programming Interface).
 A Secure Order Form: This is a more common implementation. It
redirects customers to the website of the payment gateway provider. After
the payment is processed, the customer is returned to the E-commerce
merchant's website.
2.4.9 Authentication of payment

Despite warnings, many people use the same password on multiple websites. So if
their password is discovered (or hacked) on one website, their accounts on other
websites would be vulnerable to misuse by the fraudsters.

145
That is the reason why a mere password is inadequate for authentication on an E-
commerce website. Password based authentication relies on "what you know"
evidence. If you know the password you gain entry, otherwise you are not allowed
to access an account. But "what you know" is not the only acceptable type of
evidence for authentication. There are two more types of authentications based
on:

 Who are you?

 What have you?
Authenticating with two different types of evidence is called "Two Factor
Authentication." It is commonly abbreviated as TFA or 2FA.

Example of Two Factor Authentication

The "who you are" category requires the use of biometric identification. This
could be something as basic as a thumb impression. But this would be difficult to
use on the internet. Instead, it can be addressed by sending one time password
through different mode of communication such as sending a SMS on a mobile.
When a customer requests login, the E-commerce website infrastructure can
create a one-time-password and message it to a customer's cell phone. A
combination of a user name, password, and the one-time-password can
authenticate a customer.

Advantage of Two Factor Authentication

The clear advantage of two factor identification is the increased level of security.
The higher the security, the lower the incidence of fraud. The lower the incidence
of fraud, the higher the confidence to transact online. Thus the E-commerce
player who implements two factor identification gains.

Disadvantage of Two Factor Authentication

Increased security causes increased inconvenience to users. There are websites

that allow users the option of activating two factor authentications. But it is
observed that a large proportion of users do not opt in for the higher level of
security. You could argue that they have not thought it through, but it is as likely
that they cannot tolerate the added inconvenience.

The Legal Angle: If a fraud takes place and customers hold merchants responsible
for inadequate security measures, the merchants would have a stronger case if
they had implemented two factor authentications on their E-commerce website.

146
2.4.10 Let us sum up

Information Technology has opened new dimensions of doing business. One of

them is Electronic commerce, E-commerce is carrying business transactions
using the Internet through merchants’ website. The examples of E-commerce
include, Internet Banking, Online Ticket Booking, Online Trading, Online
auctioning etc. There are various types of E-commerce. That is Business to
Business, Business to Consumer, Consumer to Consumer. The other forms of E-
commerce are M-Commerce and F-Commerce. There are various benefits of E-
commerce such as the goods/items can be ordered at any time of the day and it is
open 24X7. However, there are disadvantages too. The items to be purchased
cannot be physically seen and felt while buying. Secure Electronic Transfer (SET)
is a standard protocol used for authentication of credit card transactions.
Payment gateways are used to authenticate the payments made online. Payment
gateways can be used from a merchant side and as well as from a website while
filling an order form.

2.4.11 Key words

E-commerce, M-Commerce, F-Commerce, EDI, B2B, B2C, C2C, SET

2.4.12 Check your progress- Questions

Fill in the blanks Questions:

1. TFA means ----------------------------.

2. SSL means ----------------------------
3. B2B means ------------------ -----------
4. B2C means ------------------ -----------
5. In case of two factor authentication :
a. One time password is sent b. One time password is sent
twice through two different media
c. One time password is to be d. None of these
keyed in twice

Key to questions asked

1. Two Factor 2. Secure Sockets 3. Business to Business

Authentication Layer Commerce

147
4. Business to 5.b
Consumers
Commerce

2.4.13 Terminal questions

 Give Examples of E-commerce?

 What are the advantages and disadvantages of E-commerce.
 How a payment gateway is secure and safe for effecting the E-commerce
transactions? Explain its mechanism.

148
2.5 Lesson No. 5 Back office operations

2.5.1 Objectives
2.5.2 Back Office Operations
2.5.3 Inter Bank Reconciliation
2.5.4 Investment Management
2.5.5 FOREX Management
2.5.6 Risk Management
2.5.7 Customer Relationship Management
2.5.8 Data Centre Management
2.5.9 Let us sum up
2.5.10 Key words
2.5.11 Check your progress-questions
Key to check your progress
2.5.12 Terminal questions

149
2.5.1 Objectives

The objectives of this lesson are to understand

 The details of various internal workings of a bank which are handed over
to CBS
 How to leverage Core Banking Solutions to derive maximum benefits
2.5.2 Back-office Operations

In Core Banking scenario, from customers’ perspective, banking services are

made available through multiple delivery channels making it convenient for them
to operate their accounts from anywhere and at any time as per their needs. From
Banks’ perspective too, Core Banking brings about material change in managing
the affairs of a Bank. Core Banking helps banks to segregate the customer centric
activities and back-office activities in the branches. The back office activities are
pooled at the centralized places or at the regional clusters as per the needs.
Branches would therefore become customer centric selling outfits where bank
can sell the banking products and provide services to the customers.

Back office operations bring to fore other challenges that have to be managed by
Banks. Following activities are to be handled with care and caution to ensure that
the operational risks are minimized.

Cheque Collection: Banks have been creating clusters where cheques are
processed. Cheques deposited by customers for collection through local clearing
are handled at these centres. Using cheque scanning techniques the images of
cheques are transferred from the branches if cheque deposit machines are
provided at the E-lobby or scanning is done at these centres and the data entry is
done based on the images scanned. The data is then uploaded in a core banking
system for giving credit to customers. In cases wherever Cheque truncation is
started, the images in the required formats are sent to the clearing house and the
physical cheques are retained at the Centre.

These centres also handle cheques received through inward clearing. The flat file
received from clearing house is uploaded in the core banking system. It does the
automatic posting to the customers’ account if six digit account number is printed
on the MICR band. This helps Banks to do the apparent tenor checking and
signature checking.

In outward cheque collection and inward cheque processing, it is essential that

Bank defines the process flow. The process flow is to be documented and it is to
be ensured that the activities happen as per the process flow only. The process
audit has to be carried out. The setting of centres of this nature helps to develop

150
specialization. In case of outward clearing, it can be ensured that instruments are
credited to an account of a payee named in the instrument and that the cheques
sent for collection are not post-dated or stale cheques. In case of inward clearing,
Banks minimize the risk of wrong payment by taking different types of
precautions.

The UV (ultra violet lamp) enabled scanners help banks to identify the fake
cheques as well as altered cheques. There have been instances where in colored
Xerox copies of the instruments have been presented through clearing. In the
cheque scanning tool, it is possible to set the limits for double authentication.
Accordingly instruments drawn for amount in excess of Rs. 1 lakh can be checked
by two officers to minimize the chances of wrong payment.

At these centres the custody of the instruments and related documents is critical.
It is essential to lay down a procedure to ensure that the documents/instruments
are shifted at regular intervals to the Archival centres. The backup of the images
also have to be moved to the archival centre. These images are to be provided to
the branches through Document Management solution in case required for
addressing the grievances /enquires by the customers.

2.5.3 Inter Bank Reconciliation

Reconciliation of accounts has to be done at regular intervals. Inter Bank

reconciliation is required as Banks are required to maintain Bank accounts with
different Banks for various purposes. For clearing of inward and outward cheques
account or for ECS ( debit & credit ) transactions account is to be maintained
with RBI or SBI or any Bank managing the clearing house activity. For settlement
of inter-bank money market transactions as well as for buying and selling of
government securities account with RBI or with Bank where Bank has SGL
account is to be maintained. For ATM transactions purpose if Bank is
participating directly in NFS, it has to have account with RBI. If it is participating
through sponsor Bank, the account will have to be maintained with those sponsor
banks. In case if it is participating in any other ATM consortium such as ‘Bancs’ it
will have to maintain account with the designated bank. If Bank has enabled
settlement of utility bills and E-commerce transactions through Bill Desk, it will
have to maintain the Bank account with the named bank as per agreement with
Bill Desk. The list of accounts opened for various purposes is unending.

The reconciliation of these accounts at regular intervals weekly or fortnightly is

essential to take action on the un-reconciled entries. While transactions related to
security trading and inter Bank money market transactions would be very limited
in number, in case of ATM, Bill Desk transactions, cheque collections, the
transactions would run in lakh per day. The reconciliation of these accounts

151
would be hardly possible through manual operations. Automated tools only have
to be used for these purposes. The tools have to be reviewed at periodic intervals
to ensure that no bugs exist therein. In case of ATM transactions, RBI has asked
Banks to pay penalty of Rs. 100 per day if the amount is not reversed within five
days after it is reported in case of unsuccessful transactions. In case of NEFT
transactions too RBI has stipulated penalty for delay in payment. The
reconciliation of account therefore is of supreme importance. Reporting
mechanism has to be developed about the exceptions in reconciliation reports.

2.5.4 Investment Management

Banks are allowed to park surplus funds in different investment avenues available
as permitted by RBI. Banks can invest in G-sec securities, commercial paper,
certificate of deposits and can also lend or borrow funds in the money market for
meeting temporary requirements. Banks also keep surplus funds for short period
in fixed deposit schemes of large banks. The investment management is of utmost
importance for the Banks as twin purposes have to be achieved while handling
investment operations:

It is to be ensured that Bank complies without fail in meeting SLR (statutory

liquidity ratio) & CRR (Cash reserve ratio) obligations stipulated by RBI;

It is also to be ensured that a Bank is not out of liquidity and that the earnings on
surplus funds invested in above options generate surplus over the cost of funds
and cost of managing investment operations.

2.5.5 FOREX operations

Many banks have been authorized by RBI to do forex transactions for their
customers. Banks handling forex operations provide their customers services
such as lending in the form of pre-shipment credit and post-shipment credit,
opening of letters of credit, keeping deposits/surplus in foreign currency, buying
and selling of foreign currency for travel purpose. For undertaking these
activities Banks enter into a correspondent relationship with foreign Banks and
hold account with those Banks in different countries. Apart from reconciliation of
these accounts, Banks have to ensure that the transactions are in keeping with
RBI guidelines and provisions of FEMA (Foreign Exchange Management Act).
Banks also have to submit statutory returns of different types at periodic intervals
to RBI. These submissions too can be automated using Core Banking Solution.

2.5.6 Risk management

Technology has been introduced in Bank either in the form of branch automation
or Core Banking Solution brings with it the operational risk in the form of

152
technology risk. Risk Management techniques have to be evolved to minimize the
risks involved in this regard. Technology enables Banks to calculate interest and
apply it to accounts at periodic intervals without manual intervention. It is
essential to ensure that the interest calculation is not wrong or it is not skipped
for any account or any set of accounts in any branch of a Bank. Tools have to be
developed to identify such instances so that corrective steps can be taken. It is
also necessary to monitor the credits in the accounts for KYC purposes. Everyone
is aware that Banks have been receiving credits electronically in various forms.
Credits are received through RTGS, NEFT, ECS, SWIFT, Fund transfer through
internet Banking. All these transactions are invisible transactions. The alerts have
to be inbuilt on these transactions to identify accounts where credits are
happening inconsistent with the means of the customers. Systems are handled by
the employees of the Bank. It also carries a risk to the organization. The audit
trail has to be monitored to find transactions are not effected by employees who
are not authorized to do it. At the data centre, it is possible to carry changes in a
database from the back-end without using the application. Such changes have to
be approved ones. The mechanism such as change management request handling
has to be in place. Periodic checking of logs is essential to ensure that the
unauthorized changes are not effected in the database.

2.5.7 Customer Relationship Management

Core Banking has enabled banks to make the branches customer centric selling
outfits. Since the employees at branches would be focused on customer service, it
would be possible to do marketing as well as pay attention to the needs and
requirements of the customers. Banks can distribute the accounts of high net
worth individuals to the officers/staff at the branch. The concerned officers will
have to manage the portfolio of accounts of those customers assigned to them.

For effectively monitoring the portfolio, CRM tools would be of great use to
banks. Using such tools, employees can undertake the following activities:

Update the profiles of customers. In the customer profile, accounts officer or

relationship officer will have to update the residential address, office address,
income details, wealth details and the details of kith-and-kin.

Identify the products sold to the customers to ascertain the potential to do the
cross selling and up selling of the products. If a customer has savings account,
offer him term deposit related products, insurance products, mutual fund
products as well as loan products and vice versa.

Get the details of acquaintances related to him or not related to him for offering
the products from Banks;

153
Find out the reasons for transfer of funds to other Bank if done without the
knowledge of the relationship manager;

CRM tool can also be used for handling the inbound calls of the customers. Since
banking services are made available through various delivery channels,
customers would have queries on many counts from operations in the accounts to
PIN related issues to receiving of cheque book or statement of account through
courier. Customer will have to be provided a centralized centre where such calls
would be received. CRM used for this purpose would help bank track the nature
of calls, identify the deficiencies in the system, pain areas for the customers and
take corrective steps in this regard.

CRM tool would also be of use for handling outbound calls. Existing Customers
can be offered different bank products by directly calling them or to a potential
customers based on the available database subject to guidelines of ERDA in this
regard.

2.5.8 Data Centre Management

The data centre would be the most critical one for Banks. The entire data of a
Bank would reside at a data centre. The centre will have to be at more secure and
safe place. The entire branch operations and back office operations would depend
on a data centre. Data Centre Management therefore is of prime importance for a
Bank. For maintaining a Data Centre, the following areas are to be
monitored/managed effectively.

Network connectivity: All the branches and back offices would be connected to a
data centre. Banks have to ensure that the connectivity of all the locations is up
and running for 24/7 as banking services would be availed from any channel
from any place at any time by the customers. Apart from connectivity, in the
network management we have to ensure that connections are received from the
authorized users only. Firewalls have to be monitored using the appropriate
rules. For smooth functioning of the branches, using Network Management
Software, we will have to ensure that the traffic is not getting congested due to
broadcasting from any machine within a branch or on the intranet.

Data Centre Servers: The servers are to be monitored to ensure that adequate
space is available on hard discs. The memory provided in these servers should be
adequate to handle running load. The antivirus updates/patches have to be
applied at regular intervals (daily). Servers are to be scanned totally on day to day
basis to detect the viruses if any that have crept into the system. Operating
system related patches as well as other patches for the application softwares have

154
to be updated without delay. The maintenance of servers has to be carried out
from the authorized vendors at regular intervals.

In addition to the data servers, database maintenance activity is also critical

activity. The database logs have to be monitored regularly at the data centre as
well as from remote locations to ensure that exceptional changes are not carried
out. For maintaining the satisfactory performance of the system, it is to be
ensured that the periodic maintenances such as rebuilding of indexes, gathering
of statistics and purging of data have to be carried out.

Disaster Recovery Centre: For the business continuity purpose, it is essential

to maintain as far as possible exact replica of the data centre in non-seismic zone.
The data from the data centre will have to be log shipped to the Disaster recovery
centre continuously as per the policy of a Bank.

2.5.9 Let us sum up

While Core Banking Solution (CBS) has taken care of all the front office activities,
the back-office activities are pooled together at a centralized place at regional
clusters. There are various activities that are handled at back-office, such as
cheque collections, inter-bank reconciliations, investment management, Forex
management and risk management. The other activities such as data center
management, network management, DRS site management are also handled at
back-office without involving branches. CRM helps bank branches to cross-sell or
up-sell the bank products to customers. It also helps to capture the details of
relatives of customers and their friends in banks databases for offering various
products of banks by approaching them over phone, through mails or SMSs or
through personally meeting them if they are found high net worth potential
customers.

2.5.10 Key words

Back-Office, CRM, Front-Office, CRR, SLR, FEMA, RBI, SBI, CRM, RTGS, NEFT,
ECS, SWIFT, MICR

2.5.11 Know your progress questions

1. Which one of the following is not a back office operation

a. Cheque collection b. Opening of Accounts

c. Attending to customers in d. Carrying out reconciliation
branch

2. UV lamp means ----------------

155
 3. DRC stands for -----------------

4. UV is useful for the following purpose:

a. To view the enlarged image of b. To view alterations in the

the signature on the cheque instrument presented through
clearing
c. To view if the instrument is d. None of the above.
colored Xerox

5. In Core Banking the branches are connected to the data centre through

a. Leased line connectivity or b. Not connected to remote place

ISDN connectivity
c. Dial up connectivity d. Internet

Key to questions asked

1.c 2. Ultra Violet lamp 3. Disaster Recovery

Centre
4.b 5.a

2.5.12 Terminal-Questions

 What are the activities which can be shifted from branches to centralized
locations?
 What are the activities that are carried out from a Bank Data Centre?
 What are the critical areas that are to be addressed at a Data Centre?

156
2.6 Lesson No. 6 Important Terminology

2.6.1 Objectives

2.6.2 Introduction to important terminology

2.6.2.1 Electronic Money

2.6.2.2 E-cheque

2.6.2.2.3 MICR Electronic Clearing

2.6.2.2.4 Digital Signature

2.6.2.5 PKI

2.6.2.6 Secure Electronic Payment Protocol (SEPP)

2.6.2.7 RFID

2.6.3 Let us sum up

2.6.4 Key words

2.6.5 Check your progress questions

Key to questions asked

2.6.6 Terminal questions

157
2.6.1 Objectives

The objective of this lesson is to understand the meaning of various terms that
one comes across in electronic payment systems

2.6.2 Introduction

Electronic Money: The currency notes and coins that are in use for buying and
selling of goods and services. Today, although much of the money used by
individuals in their day to day transactions is still in the form of notes and coins,
its quantity is small in comparison with the intangible money that exists only as
entries in bank records. Perhaps coins and banknotes will become obsolete over a
period of time.

2.6.3 Electronic money

Electronic money (also known as e-currency, e-money, electronic cash, electronic

currency, digital money, digital cash, digital currency, cyber currency)
is money or scrip that is only exchanged electronically. Credit card & debit card
can be termed as Electronic money. It replaces the physical cash. ECS, NEFT and
RTGS transactions are the advanced forms of electronic money. While in case of
ECS, customer can get the periodic credits in his/her accounts on account of
interest or dividend payments after registering the account details, in case of
NEFT and RTGS transactions, using Internet Banking customer can transfer
funds from one account to another account. For effecting these transactions
customer needs to know the passwords given by the bank.

There are two types of e-money: online e-money and offline e-money. Online
means you need to interact with a bank (via modem or network) to conduct a
transaction with a third party. Offline means you can conduct a transaction
without having to directly involve a bank. Offline e-money was in existence when
the Core Banking was not in place in Banks. In those days credit cards used to be
in the form of offline E-Money.

2.6.3.1 E- Cheques

E-cheque is a form of payment made via the internet which performs the same
function as a conventional paper cheque. Since the cheque is in an electronic
format, it can be processed in fewer steps and has more security features than a
standard paper cheque. Security features provided by electronic cheque include
authentication, public key cryptography, digital signatures and encryption.
Electronic cheques have been developed in response to the transactions that have
arisen in the world of electronic commerce.

158
In India, requisite amendments have been made to include E-cheque. The
Negotiable Instruments Act recognizes E-cheque in electronic form and
truncated E-cheque. Truncated E-cheque is a reality in some parts of India. In
truncated E-cheques, customers continue to use physical cheques. When a payee
of cheques deposits it for collection with his/her bank, the Collecting Bank does
not present physical cheques to the Clearing House. Instead it sends the
Electronic image of the cheque duly encrypted with the built in public key and
private key security features and retains the physical cheques at its end.

Section 6 of the Negotiable Instruments Act, 1881 has been amended in 2002. As
per the amendment a cheque is a bill of exchange drawn on a specified banker
and not expressed to be payable otherwise than on demand and it includes the
electronic image of a truncated cheque and a cheque in the electronic form.

Explanation I.-For the purposes of this section, the expressions

(a) "a cheque in the electronic form" means a cheque which contains the exact
mirror image of a paper cheque, and is generated, written and signed in a secure
system ensuring the minimum safety standards with the use of digital signature
(with or without biometrics signature) and asymmetric crypto system;

(b) "a truncated cheque" means a cheque which is truncated during the course of
a clearing cycle, either by the clearing house or by the bank whether paying or
receiving payment, immediately on generation of an electronic image for
transmission, substituting the further physical movement of the cheque in
writing. Necessary amendment has been made in the Negotiable Instruments Act
as per which, in case of a truncated cheque, even after the payment the banker
who received the payment shall be entitled to retain the truncated cheque. A
certificate issued on the foot of the printout of the electronic image of a truncated
cheque by the banker who paid the instrument, shall be prima facie proof of such
payment.

2.6.3.2 MICR electronic clearing

The cheque clearing is the dominant retail payment system in India. The model
rules and regulations are prescribed by RBI and are adopted by the clearing
houses spread across the country. There are over 1047 clearing houses in the
country today. RBI themselves manage 16 such clearing houses, SBI Group
manages the bulk of the clearing houses numbering about 1000 and a few other
public sector banks, manage the remaining clearing houses. The banks managing
the clearing houses also act as the settlement banks. Cheque clearing is done by
MICR technology at over 40 centres and manually at other centres. These MICR
centres are run by RBI, SBI, PNB and a few other PSU banks. To automate the
operations for handling huge volumes, traditional clearing system is getting

159
replaced by MICR electronic Clearing. The pre-requisite for running such
clearing house is to have only MICR cheques presented. MICR stands for
Magnetic Ink Character Recognition. In the clearing house, using the automated
processes, the cheques are sorted bank wise through system and given to the
Banks for further processing. Along with the cheques, Bank get soft copy giving
details of the instruments presented through clearing which help banks to upload
it in the Core Banking system for posting transactions in the account.

MICR is electronic clearing system compared to manual clearing system and is

beneficial to all. The retail payments system in India comprising of paper based
and electronic systems, handle large volume of transactions. These relate to
various customer segments spread across the country.

2.6.3.3 Digital signature

A digital signature or digital signature scheme is a mathematical scheme for

demonstrating the authenticity of a digital message or document. A valid digital
signature gives a recipient reason to believe that the message was created by a
known sender, and that it was not altered in transit. In India, digital signatures
are used for various purposes. In case of Cheque truncation for transmitting the
images of cheques, digital signature is used. For filing of e-tax returns, charges
under the Companies Act electronically, digital signature is used.

2.6.3.4 PKI

A public-key infrastructure (PKI) is a set of hardware, software, people, policies,

and procedures needed to create, manage, distribute, use, store, and
revoke digital certificates. In India, The IT Act provides the Controller for
Certifying Authorities (CCA) to license and regulate the working of Certifying
Authority (CA). The CCA operates for certifying the public keys of CA’s using it
private key. NIC, TCS, 3i infotech, MTNL Customs & Central Excise and IDRBT
are the Certifying Authorities in India.

2.6.3.5 Secure Electronic Payment Protocols (SEPP)

Secure Electronic Payments Protocol is an open specification for secure bank

card transactions over the Internet that was jointly developed by IBM, Netscape,
GTE, Cybercash and MasterCard. SEPP messages are transmitted as Multi-
purpose Internet Mail Extensions (MIME) attachments.

2.6.3.6 RFID

Radio Frequency Identification (RFID) is a generic term that is used to describe a

system that transmits the identity (in the form of a unique serial number) of an

160
object or person wirelessly, using radio waves. It is grouped under the broad
category of automatic identification technologies.

2.6.4 Let us sum up

Traditionally currency notes and coins are exchanged while buying and selling
the goods or services. However, today technology made it possible to exchange
electronic-money for trading or buying and selling transactions. Credit cards or
Debit cards are the examples of e-money. Cheques are presented electronically
through cheque truncation mechanism. In cheque truncation only the images of
cheques are captured and the moment of physical cheques are being eliminated
with the use of technology. MICR electronic clearing system is useful in clearing
bulk volumes of cheques. Digital signatures are used to authenticate a message or
documents electronically.

2.6.5 Key Words

E-Money, E-Cash, E-currency, E-Cheque, MICR, PKI, SEP, RFID, ECS, NEFT,
RTGS, CBS

2.6.6 Check your progress Questions

Fill in the blanks

1. SEEP stands for ------------

2. PKI stands for-------------
3. RFID stands for ---------------
4. Digital Signature is not used for which one of the following
a. Filing E-tax returns b. Filing of charge with registrar
of companies
c. For cheque truncation purpose d. For filing returns with RBI
in Banks
5. In case of cheque truncation, physical cheque remains with:
a. Collecting Bank b. Paying Bank
c. Clearing House d. Customer

Key to questions asked

1. Secure Electronic 2. Public Key 3. Radio frequency

Payment Protocol Infrastructure identification

161
4.d 5.a

2.6.7 Terminal questions

 What is use of MICR clearing? How it has helped Banks in India to handle
ever increasing volumes?
 Is E-Cheque introduced in India. What is cheque truncation?
 What amendments have been made in N I Act 1881 to include E-cheque?

162
Unit 3: Cyber Crimes, Security and Control
Lesson No. 1 Introduction to Cyber crimes
Lesson No. 2 Types of cyber crimes
Lesson No. 3 Cybercrimes in banks
Lesson No. 4 Security and control
Lesson No. 5 IT laws and global initiatives

163
3 Unit 3: Cybercrimes, Security and Control

3.1 Lesson no. 15 Introduction to Cyber Crimes

3.1.1 Objectives
3.1.2 Ethics in Cyber Space
3.1.3 Piracy
3.14 Property
3.1.5 Security
3.1.6 Accuracy
3.1.7 Accessibility, Censorship, Filtering
3.1.8 Freedom of Information
3.1.9 Criminalisation of Cyber Space &Current Trends in Cyber Crimes
3.1.10 Definition of Cyber Crimes
3.1.11 Conventional Crime Vs Cyber Crime
3.1.12 Threats to Information Security in Banks in India
3.1.13 RBI Guidelines
3.1.14 Let’s us sum up
3.1.15 Key words
3.1.16 Check your progress-questions
Key to Check your progress
3.1.17 Terminal questions

164
3.1.1 Objectives

The objectives of this lesson are to understand

 Definition of cyber crimes

 What are the trends in criminalization of cyber space
 RBI guidelines to tackle this menace
3.1.2 Ethics in Cyber Space

Unlike most computer terms, "cyberspace" does not have a standard, objective
definition. Instead, it is used to describe the virtual world of computers. For
example, an object in cyberspace refers to a block of data floating around a
computer system or network. With the advent of the Internet, cyberspace now
extends to the global network of computers.

Cyberspace is a domain characterized by the use of electronics and the

electromagnetic spectrum to store, modify, and exchange data via networked
systems and associated physical infrastructures. In effect, cyberspace can be
thought of as the interconnection of human beings through computers and
telecommunication, without regard to physical geography.

In view of the anonymity with which it can be accessed and used and also in
view of the spectrum of information used and made available ranging from
financial one to social related information, it is obvious that certain ethics are
followed in using cyberspace. No Law or the protocol has been set to define the
ethics in this regard. Broadly therefore, it can encompass following issues that
arise out of the usage of cyberspace.

3.1.3 Privacy

Privacy of individuals, and important information related to bank account or

otherwise is of utmost importance which gives a sense of autonomy. The
deprivation of privacy can even endanger a person's health. The internet and
proliferation of private data through governments and E-commerce is a
phenomenon which requires a new round of ethical debate involving a person's
privacy.

Privacy can be decomposed as the one which restrains others from any ones’
secrecy, anonymity, and solitude. Anonymity refers to the individual's right to
protection from undesired attention. Solitude refers to the lack of physical
proximity of an individual to others. Secrecy refers to the protection of
personalized information from being freely distributed.

165
Individuals surrender private information when conducting transactions and
registering for services. Ethical business practice protects the privacy of their
customers by securing information which may contribute to the loss
of secrecy, anonymity, and solitude. Credit card information, social security
numbers, phone numbers, mothers' maiden names, addresses and phone
numbers freely collected and shared over the internet may lead to a loss of
privacy.

3.1.4 Property

Property means and includes intellectual property rights. The ever-increasing

speed of the internet and the emergence of compression technology, such
as mp3 opened the doors to Peer-to-peer file sharing, a technology that allowed
users to anonymously transfer files to each other, previously seen on programs
such as Napster or now seen through communications protocol such
as BitTorrent. Much of this, however, was copyrighted music and illegal to
transfer to other users. Whether it is ethical to transfer copyrighted media is
another question.

Open source software is a new trend. This can be considered as rejoinder to

piracy. Everyone can access it freely. Linux operating system or Mysql database
are the best examples. It means that if piracy cannot be prevented by any means,
then open source can help generate the earnings to the originator of the idea. But
the open source cannot work in every field. In the entertainment media where
films and music are pirated by copying the files, the appropriate option at this
juncture appears to be law prohibiting piracy of it.

3.1.5 Security

Every organization has its own network. Within the network, the activities are
carried out by the users. The network has to be safe and secure. It is not ethical to
trespass into others’ network without appropriate authority. Hacking of the
network for gaining access to the servers of any organization and thus gaining
control over the data and the application programs cannot be considered ethically
and morally right.

3.1.6 Accuracy

Internet provides information on every issue: commercial, spiritual, research,

philosophical. The vital question is its authenticity. In the Wikipedia you get
information on every topic. Experts in the field keep updating the site and try to
ensure that the authentic information is made available. But at the same time,
miscreants can modify the document and give misleading and wrong

166
information. Ethically this includes debate over who should be allowed to
contribute content and who should be held accountable if there are errors in the
content or if it is false. This also brings up the question of how is the injured
party, if any, to be made whole and under which jurisdiction does the offense lay?

3.1.7 Accessibility, censorship and filtering

Accessibility, censorship and filtering bring up many ethical issues that have
several branches in cyber ethics. Internet censorship and filtering are used to
control or suppress the publishing or accessing of information. The legal issues
are similar to offline censorship and filtering. The same arguments that apply to
offline censorship and filtering apply to online censorship and filtering; whether
people are better off with free access to information or should be protected from
what is considered by a governing body as harmful, indecent or illicit. The fear of
access by minors drives much of the concern and many online advocate groups
have sprung up to raise awareness and of controlling the accessibility of minors
to the internet.

3.1.8 Freedom of information

Freedom of information, that is the freedom of speech as well as the freedom to

seek, obtain and impart information brings up the question of who or what, has
the jurisdiction in cyberspace. The right of freedom of information is commonly
subject to limitations dependent upon the country, society and culture concerned.
It is difficult to bring one law applicable to the entire globe and laws specific to
each country in this regard would be difficult to practice.

3.1.9 Criminalization of cyberspace & current trends in cyber crimes

Crimes in Cyberspace have taken different forms. They range from economic
offenses (fraud, theft, industrial espionage, sabotage and extortion, product
piracy, etc.) to infringements on privacy, propagation of illegal and harmful
content. It is taking serious turn when cyberspace is used for terrorism
encompassing attacks against human life and against national security
establishments, critical infrastructure, and other vital veins of society.

In the following paragraphs, the forms of these crimes are highlighted in greater
detail.

 Hacking: Taking unauthorized control of the server and through it access

to the data and the application programs.
 Viruses and other malicious programs: Spreading viruses and
worms in the system through emails or files and thereby damaging the

167
 system, data and files is a destructive form of criminalization. Trojan
horse which apparently looks like a regular program may copy user id and
passwords or erase files or spread viruses.
 Fraud and theft: Different types of fraud are committed over computer
networks such that they have become almost impossible to police
effectively. In computer chat-rooms, message boards, unsolicited e-mail,
and on web sites themselves, fraudsters lose no opportunity to trick and
deceive others for the purpose of financial gain. Using computers, thieves
can steal credit card details and siphon funds from banks.
 Gambling and other offenses against morality: The Internet is also
being used to distribute drugs, tobacco and liquor, again regardless of
jurisdictional prohibitions.
 Cyber terrorism: A cyber terrorist might hack into computer systems
and disrupt domestic banking, the stock exchanges and international
financial transactions, leading to a loss of confidence in an economy. Or
he/she might break into an air traffic control system and manipulate it,
causing planes to crash or collide. A terrorist could hack into a
pharmaceutical company's computers, changing the formula of some
essential medication and causing thousands to die.
3.1.10 Definition of cybercrime

When Internet was developed, the founding fathers of Internet hardly had any
inclination that Internet could also be misused for criminal activities.
Today, there are many disturbing things happening in cyberspace. Cybercrime
refers to all the activities done with criminal intent in cyberspace. These could be
either the criminal activities in the conventional sense or could be activities,
newly evolved with the growth of the new medium. Because of the anonymous
nature of the Internet, it is possible to engage into a variety of criminal
activities with impunity. People with intelligence, have been grossly misusing
this aspect of the Internet to perpetuate criminal activities in cyberspace. The
field of Cybercrime is just emerging and new forms of criminal activities in
cyberspace are coming to the forefront with the passing of each new day.

The terms "cyber crime," "computer crime", "Information Technology crime,"

and "high-tech crime" are often used inter-changeably to refer to two major
categories of offenses: in the first, the computer is the target of the offense;
attacks on network confidentiality, integrity and/or availability -- i.e.
unauthorized access to and illicit tampering with systems, programs or data - all
fall into this category; the other category consists of traditional offenses -- such
as theft, fraud, and forgery - that are committed with the assistance of or by

168
means of computers, computer networks and related information and
communications technology.

3.1.11 Conventional crime v/s cyber crime

Conventional crime is restricted to robbery, murder and rape, etc.. They are local
in nature. To detect such crimes and take punitive actions against the culprits is
not challenging one. Local law enforcement dealt effectively with this type of
crime because its parochial character meant investigations were limited in scope
and because the incidence of crime stood in relatively modest proportion to the
size of the local populace.

Computers and the Internet have created phenomenal possibilities for addressing
a variety of human problems, but these technologies also have a dark side.

What differentiates the criminal threats posed by the Internet is that it is based
on a vastly more complex technology. It spans the globe and moves information
and potential criminal activity with a speed and efficiency unknown in human
history. Not only does this give the police less time to react to any potential
criminal threat, but it raises issues of jurisdiction, privacy, and anonymity.

Some cybercrimes such as stalking tend to be small-scale, single-offender/single-

victim crimes. Although our experience with cybercrime is still in its infancy,
large-scale offenses targeting multiple, geographically dispersed victims have
already been committed. The February, 2000 denial of service attacks that
targeted eBay, Yahoo and CNN, among others are just one notorious
example. These attacks effectively shut down web sites for hours and were
estimated to have caused $1.2 billion in damage.

While some cyber crime consists of using computer technology to commit

traditional crimes such as fraud and theft, it also manifests itself as new varieties
of anti-social activity that cannot be prosecuted using traditional offense
categories. The dissemination of the "Love Bug" virus illustrates this: the
suspected author of the virus could not be prosecuted under the repertoire of
offenses defined by the Philippines penal code because none of them
encompassed the distribution of a computer virus, even one which destroyed
property (e.g., computer files) and stole passwords.

169
3.1.12 Threats to information security in banks in India

Internet Banking

Since most of the Banks have been offering internet banking to their customers
they will come under cyber attack. Hackers would continuously try to get the
access to the data and system and use customer information to their advantage.

ATM

There is a likelihood of identity theft. The fraudsters would use technology that
installs onto ATM machines and they steal information from customers which
they can make use of, exploiting that type of information and accessing their
accounts to get money from individuals.

Mobile

The increased adoption of mobile devices, and instance by employees to be

allowed to use them in the workplace, will see increased threats not only to
individuals but to their employers as well.

Any Where Banking

Since customers are allowed to access their accounts from anywhere, customer
can draw funds from any branch of a Bank. The chances of forged signatures and
misuse of accounts cannot be ruled out. Fraudsters can deposit a cheque in one
branch and can withdraw the amount from different branches.

Payment systems

Payment systems are evolving in India. Electronic payments are substituting the
cheques and cash payments. Flat files are received from the Clearing house which
is likely to be tampered before being taken up for processing.

Data security

The data is available to branches in the form of reports giving information about
balances in accounts of customers. It has been seen that the text files so received
are passed on to external agencies for nominal gains through email thus
compromising on the secrecy of customer information.

Outsourcing agencies

Many outsourcing agencies are involved in opening of account, printing of

personalized cheque books, printing of statement of accounts and taking it to

170
customers through couriers. These outsourced jobs have opened up new areas of
threats in Banks.

3.1.13 RBI Guidelines

The executive summary of the RBI guidelines on information security are as

follows:

 The Board of Directors/Managements of the banks and the financial

organizations are responsible for putting in place effective security
controls for protecting information assets, as the confidentiality, integrity,
authenticity and timely availability of such information is of paramount
importance to business operations. It is, therefore, critical for such
organizations to protect the information and information systems from
unauthorized disclosure, modification, replication, destruction and access.
Built-in safeguards and controls should be put in place to save information
and the information systems from the unauthorized persons, hackers etc.
 The business operations in the banking and the financial sector would be
increasingly dependent on computerized information systems in future. It
has now become impossible to separate technology from the business of
the banks/financial organizations. The growing use of the personal
computers and their networking in the financial sector has necessitated
their integration in a Local Area or Wide Area Network environment. In
many organizations, most of the work is still done on the standalone
personal computers and those integrated with intra-city networks
including LANs than on large mainframe systems. The security controls
for these computer systems and networks are not as developed as the
security controls available for the mainframe systems. On account of the
phenomenal growth in the use of IT and IT based applications by these
organizations in their day-to-day operations, the need for putting in place
the security controls for all the information systems has grown
tremendously. The information systems security has, therefore, assumed
great importance for the commercial success of an organization, as the
survival of the organization depends on the speed, accuracy and reliability
of the flow of information within the organization vis-à-vis its customers.
 The security controls are required to minimize the vulnerability to
unauthorized use of the information and the information systems.
However, such controls may have to be consistent with the degree of
exposure of such systems and the information and the impact of loss to the
organization on account of unauthorized access and misuse, including
accidental misuse, of such systems and information. The unauthorized

171
 including accidental misuse of the information may result in financial loss,
competitive disadvantage, damaged reputation, improper disclosure, law
suits and non-compliance with the regulatory provisions etc. Structured,
well defined and documented security policies, standards and guidelines
lay the foundation for good information systems security and are the need
of the hour.
 No threat becomes obsolete. Further, new threats surface from time to
time. The financial sector has witnessed rapid changes in the volume and
the value of transactions and the introduction of the most modern and
secured methods for the delivery of services to the customers. Still better
information systems are being introduced at frequent intervals. Further,
the banking and the financial sector is now poised to countenance various
developments such as Internet banking, e-money, e-cheque, E-commerce
etc., which have been made possible by the revolutionary researches and
discoveries in Information Technology and its applications and the future
promises to remain challenging. Constant developments of far reaching
implications dictate constant vigilance and necessitate sound information
systems security programme. Constant Vigilance and the extensive and
proper implementation of the information systems security programme in
an organisation are the minimum requirements for the organisation’s
competitiveness and continued contribution to economic growth.
3.1.14 Let us sum up

Cyber space describes the virtual world of computers. With the advent of Internet
cyberspace extends to the global network of computers. Cyberspace is a domain
characterized by the usage of electronics to store, modify, and exchange data. In
short cyberspace can be thought of as the interconnection of human beings
through computers and telecommunications. As of now, there is no common code
of conduct to be followed across the globe in cyberspace. Cyber terrorism
Gambling, Moral offences, Fraud & Theft of data, Hacking, Viruses, Malicious
code are other forms of cyber crimes. As more services of banks are offered
through online, there are various threats to information security in banks
operating in India and elsewhere. These threats may emanate from channels
through which banking services are offered to customers such as Internet
Banking, ATMs, Anywhere banking, Payment Gateways, and Loopholes in data
security through out-sourcing agencies.

3.1.15 Key Words

Cyberspace, Ethics, Piracy, Security, Accuracy, Hacking, Frauds, ATM, Mobile,

RBI- guidelines

172
3.1.16 Know your progress questions

1. Which one of the following is not a cyber crime?

a. Hacking b. Sending unsolicited mails such

as spasm
c. Spreading viruses d. Breaking open a locker

2. In case of hacking usually crime is committed by:

a. Taking unauthorized access to b. By sending mails to RBI

the server or node
c. By logging into the system d. By sending a virus through
using the administrator password mail

3. Virus can cause

a. Loss of data by erasing the data b. Run unsolicited programs

repeatedly
c. Delete the program files d. All of the above

4. In case internet Banking fraud is committed by gaining unauthorized

access through

a. Intercepting the password b. Capturing the mobile No of the

entered by the user user
c. Sending mails to the d. None of the above
accountholder

5. Which one of the following Acts deals with Cyber crimes?

a. Negotiable Instruments Act b. Banking regulation Act

c. Companies Act d. Information Security Act

Key to questions

1.d 2.a 3.d

4.a 5.d

3.1.17 Terminal questions

 What are the ethics to be adhered to in cyberspace?

173
 What are the threats to information security in Banks in India?
 What are the guidelines of RBI on information security?

174
3.2 Lesson No. 2 Types of cyber crimes

3.2.1 Objectives
3.2.2 Types of Cyber Crimes
3.2.3 Categorization of Cyber Crimes
3.2.3.1 Unauthorized Access to Financial Data
3.2.3.2 Piracy
3.2.3.3 Hacking
3.2.3.4 Cyber Terrorism
3.2.4 Cyber War
3.2.5 Let us sum up
3.2.6 Keywords
3.2.7 Check your progress-questions
Key to check your progress
3.2.8 Terminal questions

175
3.2.1 Objectives

The objectives of this lesson are to understand the details of cyber crimes like

 Criminal intentions, Classification of Cyber Crime

 Crime against individuals, Crime against Institutions, Crime against State
 Various types of Cyber Crimes,
 Cyber war, Cyber terrorism
3.2.2 Types of cyber crimes

Cyber crimes are committed by individuals with different ulterior motives and or
intentions. The target proposed would not necessarily be restricted to individuals.
It would be against individuals when the intentions are to defraud the other for
illegal financial gains. But the cyber crimes would be targeted against society or
an organization when criminals have terrorist motive or motive to take revenge.

It can be classified into 4 major categories:

Cyber crime against individual

Email spoofing :A spoofed email is one in which e-mail header is forged so that
mail appears to have originated from an authenticated source but actually has
been sent from unknown source.

Spamming: Spamming means sending multiple copies of unsolicited mails or

mass e-mails such as chain letters. Through these mails dubious advertisements
are sent. For avoiding such emails, anti-spam rules should be defined in a mailing
system;

Cyber defamation: This occurs when defamation takes place with the help of
computers and/or the Internet. E.g. someone publishes defamatory matter about
someone on a website or sends e-mails containing defamatory information. In
India the debate is on to have restrictions in this regard.

Harassment & cyber stalking: Cyber stalking means following the moves of
an individual's activity over internet. It can be done with the help of many tools
available such as e- mail, chat rooms, and user net groups.

Cyber crime against property

Credit card fraud: Using the stolen card for purchases in shops or for settling
E-commerce transactions.

176
Intellectual property crimes: These include Software piracy. Illegal copying
of programs, distribution of copies of software, Copyright infringement:
Trademarks violations, Theft of computer source code are grouped under this
category.

Internet time theft: The usage of the Internet hours by an unauthorized

person which is actually paid by another person. This happens in cases where
wireless connectivity is taken and if password is not set, then any other person
within the range can access internet.

Cyber crime against organization

Unauthorized accessing of computer: Accessing the computer/network

without permission from the owner.

Changing/deleting data: Unauthorized changing of data. Adding the user in

the data.

Computer voyeur: The criminal reads or copies confidential or proprietary

information, but the data is neither deleted nor changed.

Denial of service: When an Internet server is flooded with continuous bogus

requests so as to denying legitimate users to use the server or to crash the server.
This happens generally when an organization launches an innovative scheme or
product.

Computer contamination/virus attack: A computer virus is a computer

program that can infect other computer programs by modifying them in such a
way as to include a (possibly evolved) copy of it. Viruses can be file infecting or
affecting boot sector of the computer. Worms, unlike viruses do not need the host
to attach themselves to.

Email bombing: Sending large numbers of mails to the individual or company

or mail servers thereby ultimately resulting into crashing.

Salami attack: When negligible amounts are removed & accumulated in to

something larger. These attacks are used for the commission of financial crimes.

Logic bomb: It is an event dependent programme, as soon as the designated

event occurs, it crashes the computer, release a virus or any other harmful
possibilities.

Trojan horse: An unauthorized program which functions from inside what

seems to be an authorized program, thereby concealing what it is actually doing.

177
Data diddling: This kind of attack involves altering raw data just before it is
processed by a computer and then changing it back after the processing is
completed. Banks have to be careful in case of processing of inward clearing or
ECS data.

Cyber crime against society

Forgery: currency notes, revenue stamps, mark sheets etc can be forged using
computers and high quality scanners and printers.

Cyber terrorism: Use of computer resources to intimidate or coerce others.

Web jacking: Hackers gain access and control over the website of another, even
they change the content of website for fulfilling political objective or for money.

3.2.3 Categorization of cyber crimes

Cyber-Crime ('computer crime') is an illegal offence committed by means of

electronic operations that targets the security of computer systems and the data
processed by them. The United Nations has categorized five offenses as cyber-
crime:

 Unauthorized access,
 Damage to computer data or programs,
 Sabotage to hinder the functioning of a computer system or network,
 Unauthorized interception of data to, from and within a system or
network,
 Computer espionage.
These offenses can be grouped into the following four categories:

3.2.3.1 Unauthorized access for illegal financial gains

Portals providing access for performing E-commerce transactions or sites

providing access to Bank account on internet should be extra careful to instill
confidence about the security of information processed by computer networks.
Hence these websites commit for 128-bit encryption, for the transmission of the
information, which is currently the permitted level of encryption in India.
Companies' ability to participate in E-commerce depends heavily on their ability
to minimize e-risk.

178
Risks in the world of electronic transactions online include viruses, cyber attacks
(or distributed denial of service (DDOS) attacks) such as those which were able to
bring Yahoo, e-Bay and other websites to a halt in February 2000, and e-forgery.

3.2.3.2 Piracy

The software industry plays a leading role in creating products that have vastly
improved our lives and work environment. Unfortunately, software theft, or
piracy, has had a negative impact on the global marketplace and the ability to
create new products. Legal and cultural frameworks to protect creative works
online, including computer software, must be identified and built to encourage
creativity and growth.

3.2.3.3 Hacking

Modern-day graffiti has moved beyond scribbles on monuments and subway cars
and now takes the form of defacing websites. This may be done for personal
notoriety, the challenge, or a political message just as with traditional defacement
of property, but this new form of exploit is a matter of serious concern. In
addition to the obvious economic threats of hacking there is also real physical
danger which can be caused by hacking into computer networks.

3.2.3.4 Cyber-terrorism

Cyber-terrorism is distinguished from other acts of commercial crime or

incidents of hacking by its severity. Attacks against computer networks or the
information stored there in which result in "violence against persons or property,
or at least cause enough harm to generate fear" are to be considered cyber-
terrorism attacks.

3.2.3.5 Cyber War

It is the calculated use of violence (or the threat of violence) against civilians in
order to attain goals that are political or religious or ideological in nature; this is
done through intimidation or coercion or instilling fear.

Nations have been using computers for warfare since computers existed. The
development of the modern computer was in no small part accelerated by World
War II. America's ENIAC computer calculated artillery trajectories, while
Britain's Colossus computer decoded the Nazi's encrypted messages. At that time,
however, computers were not household appliances. Like cannons and other
weapons of war, they were tools of the state and inaccessible to regular folks.

179
3.2.4 Let us sum up

Cyber crimes are committed by fraudsters with ulterior motives and or

intentions. It can be classified into four major categories: against Individuals,
property, organizations, society, and unauthorized access of data, United Nations
has classified cyber crimes into five areas such as damage to computer data and
programs, sabotage of systems and computer networks, un-authorized
interception of data and computer espionage. Cyber war is a calculated violence
against civilians to attain goals of political or religious or ideological nature. This
is done by intimidation or coercion or instilling fear by an opponent country

3.2.5 Key Words

Spoofing, spamming, stalking, Piracy, Hacking, Cyber-Terrorism, Cyber-war

3.2.6 Know your progress questions

1. Cyber crime is not committed against

a. Individuals b. Property
c. Society d. Mechanical devices in a factory

2. Which one of the following is not a cyber crime against property?

a. Credit card fraud b. Intellectual Property

c. Stealing internet time d. Hacking

3. Which one of the cyber crimes is committed against individual?

a. Email spoofing b. Spamming

c. Cyber Defamation d. All of the above

4. In Cyber war, the flame virus was used against

a. India b. Pakistan
c. Iraq d. Iran

5. In case of Denial of Service Attack (DoS)

a. Attacked Website becomes b. Access to Servers in the data

inaccessible centres is denied
c. Password used for accessing d. Cash from ATM machine

180
internet banking gets corrupted cannot be withdrawn

Key to questions

1.d 2.d 3.d

4.d 5.a

3.2.7 Terminal questions

 Which are the elements against which cyber crimes are committed?
 How cyber war and cyber terrorism has taken the ugly turn as far as usage
of the technology is concerned?

181
3.3 Lesson No. 3 Cyber-crime in banks

3.3.1 Objectives
3.3.2 Cyber Crimes in Banks
3.3.2.1 Data Related Crimes
3.3.2.2 Software Related Crimes
3.3.2.3 Physical Crimes
3.3.3 Sabotage
3.3.4 Malwares
3.3.5 Online Crimes
3.3.5.1 Computer Virus
3.3.5.2 Safe Computing Practices
3.3.5.3 Worms
3.3.5.4 Trojan Horse
3.3.6 Software Bombs
3.3.7 Spoofing
3.3.8 Spamming
3.3.9 Let us sum up
3.3.10 Key words
3.3.11 Check your progress-questions
Key to Check your progress
3.3.12 Terminal questions

182
3.3.1 Objectives

The objectives of this lesson are to understand technology led

 physical crimes, Online crimes,

 viruses, Worms, Trojan horses, Malwares,
 software Bombs, Phishing, Spoofing,
3.3.2 Cyber Crimes in banks

Banks are the obvious targets of those who are committing cyber crimes or
computer crimes because of the following three factors:

 Banks hold key information about the deposits and loans of customers in
electronic form ;
 Banks have automated their operations by implementing enterprise wide
applications such as core banking solution;
 Banks have enabled access to Bank accounts to customers through
different delivery channels such as ATMs, Internet and mobile besides
transactions from any branch of a bank;
Computer crimes are committed in different ways in Banks.

3.3.2.1 Data related crimes

Data in a Bank represents information about bank balances of the customers.

Computer crimes are committed by manipulating the data. Following are the
different ways in which data is manipulated:

False data entry: In Banks common type of fraud in this respect can be
committed by modifying the flat files which are uploaded in the system. The flat
files represent the salary of account holders remitted by their employer. In the
file, without altering the total amount to be debited to the Employers account,
salary of one employee is reduced and is compensated by increasing the salary of
another employee or by adding a name of a person who is not the employee.
Information in flat file format is received in case of inward clearing, ECS (Cr &
Dr), charges etc. It is therefore essential to ensure that these files are encrypted
by the sender and are to be decrypted by the Core Banking Solution.

Eavesdropping and data spying: In this case if a customer is withdrawing

cash from ATM and someone standing next to him is watching the password
being keyed in. The knowledge of password can be misutilised. Even in banks,

183
there is possibility of password of an employee while he/she is typing, being seen
by another employee and misused.

Scavenging: This type of crime is common in case of ATMs. In ATM rooms,

customer negligently leaves behind the balance slip or transaction slip which
gives information about the account number or the balance in the account which
can be used by a fraudster.

Data leakage: This is possible as the reports of the balances in accounts

generated are passed on to the third parties for illegal consideration either
through email or by copying it on a CD.

3.3.2.2 Software related crimes

These crimes are committed by sending viruses through emails, hacking a

network or misusing the super zap utility. Trojan horse method allows
performing an illegal operation along with the regular program. Software piracy
is also software related crime.

3.3.2.3 Physical crimes

Burglary of computers or computer components: These crimes are committed

when a system is stolen from an office or home. At times costly parts such as
memory chip or hard discs are stolen and sold in the market at throw away price.
Stealing of software license certificates is also classified under this category.

It is reported that masked gunmen broke into a Scottish manufacturing plant at

Seattle, tied up its employees and stole an estimated $16 million worth of
Microsoft Corporation software and authentication certificates. They took away 2
lakh certificates of authenticity, 1 lakh CD-ROMs, computer and other
equipments.

Robbers stole a cash-laden Automated Teller Machine (ATM) from an SBI ATM
booth in Maninagar in wee hours of Tuesday. The heist has made the robbers
richer by Rs. 21 lakh, not to forget an ATM worth Rs. 2.80 lakh which was also
stolen.

Unknown persons stole a computer system from an urban health centre at

Mapusa on Wednesday night. The medical officer at the centre, complained to the
Mapusa police, that unknown persons effected entry into the premises by
breaking open the lock and latch of the main door of the health centre, and
decamped with a computer system which was installed in the premises. Sources
also informed TOI that the system was loaded with useful data of the health
centre.

184
3.3.3 Sabotage

Acts of terrorism with different motives such as destruction of data or destruction

of the telecommunication system are considered sabotage. The powerful Flame
computer virus is not only capable of espionage but it can also sabotage computer
systems.

On a smaller, but no less disturbing scale, a Forbes Inc. computer technician

deliberately caused five of the publisher's eight network servers to crash as
retribution for his/her termination from a temporary position. All the
information on the affected servers was erased, and no data could be restored. As
a result of this one act of sabotage, Forbes was forced to shut down its New York
operations for two days and sustained losses in excess of $100,000.

Lockheed Martin's e-mail system crashed for six hours after an employee sent
60,000 co-workers a personal e-mail message with a request for an electronic
receipt. The defense contractor, which posts 40 million e-mails a month, was
forced to fly in a Microsoft rescue squad to repair the damage caused by one
employee.

Research found that the majority of the insiders who committed acts of sabotage
were former employees who had held technical positions with the targeted
organizations.

3.3.4 Malwares

Malicious software also called malware refers to software programs designed to

damage or do other unwanted actions on a computer system. In Spanish, "mal" is
a prefix that means "bad," making the term "badware," which is a good way to
remember it. Common examples of malware include viruses, worms, Trojan
horses, and spyware. Viruses. You can install anti-virus and anti-spyware utilities
on your computer that will seek and destroy the malicious programs they find on
your computer.

3.3.5 Online crimes

Different computer crimes are committed online through internet. They are
grouped into the following categories:

Phishing: Phishing is the practice of setting up bogus Web sites by fraudsters

which look like those of legitimate organizations in an attempt to trick unwary
consumers into giving up their credit card numbers. Phishing typically involves
sending out e-mails with spoofed addresses that seem to come from respected
merchants or Banks. Online auctioneer e-Bay, its person-to-person payments

185
subsidiary PayPal, electronic retailer Best Buy, and private banks are among the
most common commercial victims. The e-mail subject headers warn the recipient
of a problem with their account or, in the case of Microsoft, the need to install
still another patch. An e-mail is either a form to fill out with personal
information, or a link to the fraudsters' website.

Hacking: Hacking can take several forms:

Accessing - entering a network which is intended to be private

Defacing – changing the content of another person’s Web site

Hijacking – redirecting elsewhere anyone trying to access a particular Web site

Bombing – overwhelming a site with countless messages to slow down or even

crash the server

Denial of service – running a program which sends thousands of requests to a

site simultaneously, frequently from more than one source, so that the relevant
server slows down considerably or preferably (from the point of view of the
hacker) crashes.

Company computer systems are usually more difficult to hack because they
employ protective arrangements such as firewalls. The most serious threats faced
by organizations are from insiders or former employees who have privileged
information such as passwords.

One of the most serious hacking incidents of recent times occurred in February
2000 when distributed ‘denial of service’ attacks brought down the sites of
Yahoo!, CNN, eBay, Buy.com, Amazon, E*Trade, Datek & ZDNet. Subsequently,
the culprit was found to be a Canadian teenager living in Montreal who was only
15 at the time. He hacked into 75 computers in 52 different networks which he
then used to attack 11 Internet sites. Mafiaboy - as he was dubbed - was
eventually sentenced to an eight-month sentence in a Canadian detention centre.

While much hacking is done for so-called 'fun', other forms of hacking are done
for more mercenary reasons, especially obtaining and sale of credit card details.
Where on-line trading is concerned, it is not the connection which is particularly
insecure but the database which can be hacked into by those with specialist
knowledge and criminal intent.

3.3.5.1 Computer virus

A computer virus is created when a programmer creates computer code that has
the capability to replicate itself, hide, and watch for a certain event to occur,

186
and/or deliver a destructive on a disk or in a computer program. Viruses can
attach themselves to just about any type of file and are spread as infected files
which are used by other computers. Some viruses are relatively harmless, while
others are very devastating. They can destroy files, software, program
applications, and cause the loss of data.

New computer viruses are constantly being created by malicious programmers.

Because of this, it is vital to keep anti-virus software on computers up-to-date.
Some anti-virus software programs allow users to set them to silently check for
updates whenever users are connected to the Internet. Others remind users to
periodically check for updates.

Infection to various components of computer due to Viruses:

Viruses can enter computers in many ways. Once a virus has entered a system, it
will generally hide until it is unknowingly run by the user. A virus will not act
until it has been run or some pre-established condition has been met, such as a
specific date. The effects of a virus may not be noticed for some time after it has
infected a computer.

Viruses can infect several components of a computer's operating and file system
including:

 System Sectors/Boot Records - Viruses can infect the parts of the system
that are used to run programs and perform functions such as start up and
shut down.
 Files - Viruses can infect program files. These viruses stick to program files
such as .com, .exe, .sys, etc. Some viruses hide in the memory of a
computer at first, while others simply attack a specific software program,
such as Microsoft Word.
 Companion Files - Viruses can create companion files that are a special
type of files that adds on a hard disk.
 Macros - Viruses can infect macro or data files.
 Disk Clusters - Viruses can infect files through the disk directory.
 Batch Files - Viruses can use batch files to infect a computer.
 Source Code - Viruses can be in additional code that is added to actual
program source code.
How do Computer viruses enter the system?

There are several ways computer virus enters the system:

187
  From Floppy Disks /Pendrives while copying any file from a floppy
disk/Pendrives, virus enters the system.
 From the Internet - Viruses can be attached to various types of Internet
files, such as graphics and program files that people download from the
Internet. Just browsing the Internet does not put your computer at risk.
However if you had downloaded and installed a file which contains virus
signature that would infect a computer.
 From E-Mail - Viruses often travel via e-mail attachments. E-mail
messages by themselves do not carry viruses. Only .exe, .com or other
types of executable files can carry a virus.
 From a Computer Network - Computer Networks are groups of computers
linked together by a large computer called a server. The server and these
computers constantly share information. If one file that is used by several
network users becomes infected with a virus, the virus will quickly spread
to the other users.
Symptoms of a computer virus

The following are some possible indications that a computer has been infected by
a virus. These problems can also be caused by non-virus problems, but they are
the most reported symptoms of a computer virus infection.

 Computer programs take longer to load than normal.

 The computer's hard drive constantly runs out of free space.
 The floppy disk drive or hard drive runs when you are not using it.
 New files keep appearing on the system and you don't know where they
came from.
 Strange sounds or beeping noises come from the computer or keyboard.
 Strange graphics are displayed on your computer monitor.
 Files have strange names you don't recognize.
 You are unable to access the hard drive when booting from a floppy drive.
 Program sizes keep changing.
 Conventional memory is less than it used to be and you can't explain it.
 Programs act erratically.

188
3.3.5.2 Safe Computing Practices

There are several things you can do to protect your computer against viruses:

 Anti-Virus Software - If you don't have an anti-virus software program,

invest in one.
 Scan Your Computer on a Regular Basis - Scan you system with anti-virus
software regularly.
 Update Your Anti-Virus Software on a Regular Basis - Keep your anti-virus
software up to date. Do this at least weekly and more often if there are
news reports of a new virus threat.
 Backup - Backup your files on a regular basis. Always maintain copies of
files you can't do without, just in case your computer gets infected and
crashes.
 Turn off E-Mail Preview - Turn off the preview function if your e-mail
software has one.
 Scan Floppy Disks/ Pendrives- Scan floppy disks from other computers
with anti-virus software before you use the disk. Simply place the disk in
your floppy drive and run the anti-virus software program. If a virus is
found, most programs will give you several choices about what to do, such
as removing the virus, doing nothing, or deleting the file that contains the
virus.
 Protect Your Floppy Disks/Pendrives - Write-protect any floppy disk you
place into another computer. If the other computer has a boot sector virus,
the write-protect on the disk will prevent it from becoming infected with
the virus.
 Scan Downloaded Files - Scan downloaded Internet files with anti-virus
software before you use or run them.
 Scan All E-Mail Attachments - If you receive an attachment you need to
view, scan it with anti-virus software before you open it.
 Beware of E-Mail Attachments from Unknown Sources - If you receive an
unexpected attachment from an unknown source, delete it. Never open
attachments for files that end in .vbs (Visual Basic Script) or .JS (Java
Script). Viruses often travel in these types of files.

189
3.3.5.3 Worms

A worm is very similar to a normal computer virus. But a virus which is capable
of replicating itself or creating copies of itself is called a worm. All worms are
designed to cause harm to your computer and spread as quickly as possible.
These worms can easily spread throughout the network or internet. Worms are
able to spread unhindered through a complete network of computers. They can
spread by themselves and this means that they can infect hundreds of computers
very easily. Worms are normally able to spread because of security flaws.

For example, in 2003 a group of people discovered a bug in Windows due to

which, if one computer would send request thousands of times in a second to
another computer, the second computer was supposed to ignore those requests.
But it was accepting those requests. Using this bug, worm was written which
would make those thousands of requests, the vulnerable computer would accept
the requests such as “install me," and the infected computer would go on and do
it to the next computer, which would do it to the next one, over and over and
over, causing the worm to cascade across the world, infecting thousands of
computers in minutes.

Microsoft, recognizing the problem, created a software "patch" which sealed the
security hole. A month after the patch was released; someone created and
released the MSBlaster worm. Because millions of Windows users hadn't
installed the patch, their computers got infected, and suddenly they found they
couldn't use their PCs for more than five minutes without the machine restarting.

People who used Macintosh computers and other computers not running
Windows had a natural immunity to this and most other worms and viruses.
There are well over 100,000 known viruses and worms for Windows, and fewer
than 70 (yes, only seventy) for Macintosh, by comparison. In fact, those Mac
viruses only affect very old Macs, and there is just one virus that runs on current
Macintosh computers (ones running OS X) and that virus isn't considered a real
threat because of the built-in security of OS X.

3.3.5.4 Trojan Horse

In computers, a Trojan horse is a program in which malicious or harmful code is

contained inside apparently harmless programming or data in such a way that it
can get control and do its chosen form of damage, such as ruining the file
allocation table on your hard disk.

Trojans can come in any form – video games, antivirus programs, photos – and
are set up to initiate ‘battle’ once you’ve double clicked them. Trojans can’t

190
replicate themselves automatically; they can only harm your system if you
execute them. Trojan horses are generally spread through e-mail and exchange of
disks and information between computers. Worms could also spread Trojan
horses.

Trojans may cause the following maladies

 Install spyware onto your computer which will take you to unwanted
websites.
 Change your desktop or add silly active desktop icons.
 Do malicious functions like rebooting your computer or erasing files
 Create backdoors to your computer which will allow hackers to gain
control of your system without your permission. The hacker can then see
your e-mails, access password protected accounts, record your keystrokes,
and get any personal information about you from your computer.
3.3.6 Software Bombs

Software bomb consists of a trigger and a payload. The trigger can be set to go off
at a specified time or to react when an event does or doesn't happen. Unlike
viruses or Trojans that work their way in from the outside, software bombs are
planted by someone with access to internal software. Bombs typically are
designed to delete files, though the only real limitations on their malicious
capabilities are tied to their size. Larger bombs are easier to find if a company has
processes to review its software.

Software bombs have confounded IT staffs for decades. One of the first occurred
in 1988 at securities trading firm USPA & IRA in Fort Worth, Texas. Some
168,000 payroll records were deleted from a database six months after the bomb
builder left the company.

Companies can take steps to diffuse these explosive situations which have to do
with processes than technology. Companies must ensure that they don't have the
same programmers both develop and test the programs they write. In addition to
doing thorough criminal background checks on the IT employees they hire,
companies should set up peer reviews so that more than one programmer can
analyze and become familiar with any piece of code.

3.3.7 Spoofing

In the context of network security, a spoofing attack is a situation in which one

person or program successfully misrepresents as another by falsifying data and
thereby gaining an illegitimate advantage. Many of the protocols in the TCP/IP

191
suite do not provide mechanisms for authenticating the source or destination of a
message. They are thus vulnerable to spoofing attacks when extra precautions are
not taken by applications to verify the identity of a sending or receiving host.

Spoofing attacks which take advantage of TCP/IP suite protocols may be

mitigated with the use of firewalls capable of deep packet inspection or by taking
measures to verify the identity of a sender or receiver of a message.

Examples of spoofing:

Email spoofing is an activity in which the sender address and other parts of the
email header are altered to appear as though the email originated from a different
source.

Content spoofing is a type of spoofing used by malicious hackers to present a

faked or modified Web site to a user as if it were legitimate. The intention is to
defraud victims (as in phishing) although sometimes the purpose is simply to
misrepresent an organization or an individual. Content spoofing often exploits an
established trust relationship between a computer user and an organization.

3.3.8 Spamming

Spamming is flooding the Internet with many copies of the same message, in an
attempt to force the message on people who would not otherwise choose to
receive it. Most spam is commercial advertising, often for dubious products or
quasi-legal services. Spam costs the sender very little to send however the
receiver will lose mostly due to damages occur at receiving end. .

Email spam targets individual users with direct mail messages. Email spam lists
are often created by scanning Usenet postings, stealing Internet mailing lists, or
searching the Web for addresses. One particular form of email spam is sending
mailing lists (public or private email discussion forums.) Because many mailing
lists limit activity to their subscribers, spammers will use automated tools to
subscribe to as many mailing lists as possible, so that they can grab the lists of
addresses, or use the mailing list as a direct target for their attacks.

Denial of Service attacks

A denial of service (DoS) attack is an incident in which a user or organization is

deprived of the services of a resource they would normally expect to have. The
link to Gmail or Rediffmail not getting opened is a type of DOS attack.

Although a DoS attack does not usually result in the theft of information or other
security loss, it can cost the target person or company a great deal of time and
money. A denial of service attack can also destroy programming and files in

192
affected computer systems. In some cases, DoS attacks have forced Web sites
accessed by millions of people to temporarily cease operation.

Common forms of denial of service attacks are:

Buffer overflow attacks

The most common kind of DoS attack is simply to send more traffic to a network
address than the programmers anticipated. The attacker may be aware that the
target system has a weakness that can be exploited or the attacker may simply try
the attack in case it might work.

Viruses

Computer viruses, which replicate across a network in various ways, can be

viewed as denial-of-service attacks where the victim is not usually specifically
targeted Depending on the particular virus, the denial of service can be hardly
noticeable.

Physical infrastructure attacks

If someone simply cuts or removes a fiber optic cable, the connectivity would be
lost and the users deprived of services. This kind of attack is usually mitigated by
the fact that traffic can sometimes quickly be rerouted.

Firewalls and Intrusion Prevention Systems are put in place to keep the network
secure. To compliment the efforts of these systems, there are tools available in
the market for preventing many forms of DoS attacks.

3.3.9 Let us sum up

Banks are becoming obvious targets for various crimes such as physical crimes
and cyber crimes. When it comes to physical crimes, criminals plan to rob a
branch or steal money from ATMs etc. The cyber crimes include stealing data,
hacking databases and sabotaging data centres. They include Eavesdropping,
Data spying, Data Leakage and Scavenging. Other online crimes include
Phishing, Spoofing etc. Viruses are the great threats to computer systems and
they infect different parts of computers such a Source Code, Files, Macros, Disk
Clusters, Batch Files, System Sectors/Boot Records etc. Viruses enter into
computers through Floppy Disks, External drives including Pendrives, Internet,
E-Mails and Computer Networks. Computer viruses can be minimized by
installing an Anti-Virus Software and updating it on regular basis. Viruses can
also be avoided by scanning all files in hard disks, floppy disks, putting off e-mail
previews and scanning all files downloaded and e-mail attachments.

193
3.3.10 Key Words

VAPT, DoS, ATM, Sabotage, Spoofing, Eavesdropping, Scavenging, Viruses,

Worms, Macros, Internet, E-Mails and Anti-Virus

3.3.11 Know your progress questions

1. DOS means ---------------

2. VAPT means ----------
3. Viruses can be spread through:
a. Floppy Disks b. the Internet
c. E-Mail & Computer Network d. All the above
4. Spamming means
a. Flooding the mailbox with b. Sending multiple SMSs
innumerable unsolicited
messages
c. Hacking the server of the Data d. None of the above
Centre
5. One can protect your computer from virus by
a. Installing anti-virus software b. By scanning the computer on a
regular basis
c. Updating the anti-virus d. All the above
software on a regular basis

Key to questions

1. Denial of Service 2 Vulnerability and 3. d

Penetration Testing
4. a 5. a

3.3.12 Terminal questions

 What are the different types of cyber crimes? Which one is recognized as
cyber crimes and punishable under the Act?
 How can hacking be avoided?

194
 What is spamming? How it affects a mailing system? How it can be
avoided?
 What is the difference between a worm and a virus?
 What are the safe-computing practices?

195
3.4 Lesson 4 Security and control

3.4.1 Objectives
3.4.2 Introduction
3.4.3 Information Security Measures
3.4.3.1 Operating system security
3.4.3.2 Database Security System
3.4.3.3 Network System Security
3.4.4 Let us sum up
3.4.5 Key words
3.4.6 Check your progress-questions
Key to Check your progress
3.4.7 Terminal questions

196
3.4.1 Objectives

The objectives of this lesson re to understand

 Need for a security policy

 Details of various aspects of security and procedures and practices.
3.4.2 Introduction

Security and control

In the technology environment, especially in Banks, utmost importance is to be

given to the security of information and information assets. Every Bank needs to
have security policy in place which should define the scope for the purpose. On
the basis of the policy, necessary procedures and practices have to be defined.

Security Policy

Security policy should highlight following objectives that every organization must
have:

 Information assets and IT assets should be protected against unauthorized

access.
 Information should not be disclosed to unauthorized persons through
deliberate or careless action.
 Information should be protected from unauthorized modification.
 Information should be only available to authorized users when needed.
 Applicable regulatory and legislative requirements should be met.
 Disaster recovery plans for IT assets are developed, maintained and tested
as far as practicable.
 Information security training is imparted to all IT users.
 All breaches of information security are reported and investigated.
 Violations of policies are dealt with a disciplinary action.
The purpose of the information security policy is to prescribe mechanism that
will assist in identifying, preventing, detecting, and correcting the misuse and
compromising of a Bank’s information and Information Technology
infrastructure.

 Information Security is the responsibility of everyone in a Bank.

197
  The Information Security Apex committee shall have the responsibility to
establish, review and implement Information Security Management
System (ISMS).
 Chief Information Security Officer (CISO) shall be responsible for
successful implementation of ISMS in the organization.
 Information Security Forum shall review and update the Security Policies,
Processes and Procedures.
 Information Security Task force shall implement and maintain the
controls.
All Department heads will be directly responsible for ensuring compliance of the
policies in their departments.

3.4.3 Information security measures

Security measures as per the security policy should cover following areas:

 Operating system;
 Database system;
 Network system;
3.4.3.1 Operating system security

For this purpose operating system policy should be in place. The objective of the
policy is to

 Ensure security and availability of servers and workstations.

 Ensure that all the applications are running on a secured platform.
 Ensure access to an Operating System is restricted to personnel who need
the information to perform their business functions.
The owner shall:

 Be responsible for implementing the security of the Operating System.

 Document the security procedures specific to each Operating System.
 Seal and keep the installation kit in their custody.
The CTO shall:

 Ensure that on one server / desktop only one Operating System is

installed. In case more than one Operating System is required, then
specific authorization from the Owner shall be obtained.

198
  Review the security features of the Operating System before installation
 Identify, document and test the security features of the Operating System
before migrating into production whenever possible.
 Monitor for the latest upgrades available for any Operating System used
within an organization and released by the vendor. These upgrades shall
be tested and audited to evaluate the impact on the security of the
Operating System before migrating into production
 implement the security procedures specific to each Operating System
Operating system access control

The CTO, on behalf of the Owner, shall:

 Restrict operating system commands and utilities to authorized users only.

 Restrict access to commands and utilities, controlled at the Operating
System level, to individuals who require access to carry out their job
functions.
 Disable all services on an Operating System except those required by
application software, database and business users.
 Carry out integrity checking of the Operating System at regular intervals to
ensure against unauthorized modifications.
The Owner shall

 Maintain a list of User / group of Users to be granted access to the

Operating System. Such User / group of Users shall be granted only to the
employees of an organization and outsource-vendors.
 Privileges to the User / group of Users shall be on a “need to know” and
“need to do” basis. A list of privileges granted to each User / group of
Users shall be maintained.
 Create special user account having minimum privileges for executing
Operating System tasks.
Security:

The Project Manager acting as System Administrator, on behalf of an Owner,

shall:

 Carry out vulnerability scanning before migrating the Operating System

into production.

199
  Carry out integrity checks before migrating the Operating System into
production.
 Prohibit “Trusting” between two or more Operating Systems unless
required by the business process.
3.4.3.2 Database system security

The policy in this regard shall cover the following areas:

 To effectively and efficiently manage database security.

 To prevent database from external and internal threats.
 To ensure high confidentiality, integrity and availability of database
systems.
Scope: The policy applies to:

 All the database systems owned by and used within an organization.

 All database users.
The owner of the database shall:

 Be the owner of the software application.

 Be responsible for confidentiality, integrity and availability of the
Database.
 Document the security procedures specific to each Database.
 specify the requirements to secure the Operating System on which the
database has been installed;
Default password

The Database Administrator, on behalf of the Owner, shall:

 Change default password of each database installed before migrating into

production.
Database access control

Database Administrator, on behalf of the Owner, shall perform the following:

 Restrict database commands and utilities to database administrators only.

 Be responsible for maintaining a record of essential programs and utilities.
Changes to these programs and utilities shall be as per Change
Management Policy;

200
  Generate adequate and secure audit trails of access, to ensure
accountability and monitor access violations.
 Control all direct updates to the database to ensure that such updates are
authorized and logged.
User permissions and privileges

The Owner shall

 Maintain a list of database administrators to be granted access to the

database.
 Maintain a list of privileges granted to the database administrators
 Create users based on Role and Responsibilities with adequate privileges.
3.4.3.3 Network system security

Objective of the policy shall be

 To ensure secure flow of the information through the network, appropriate

controls for confidentiality, integrity and availability of information shall
be implemented.
 To maintain confidentiality, integrity and availability of information
assets.
 To implement effective access controls to prevent unauthorized access.
Scope

The policy shall apply to:

 The information in network assets of the organization;

 Various network components like data cables, hubs, patch panel, switches,
routers, firewall, Intrusion Detection System, network management
system etc.
 All users including Network Administrator, Systems Administrators,
vendors and vendor’s staff, maintenance staff and contractors of network
assets.
Ownership

The CTO shall be the owner of the policy and the network infrastructure and shall
be responsible for the maintenance of the integrity and availability of the network

201
Network management

 Internal network shall be segregated from external networks by

appropriate controls like network design, routing controls, Firewall,
Intrusion Detection System etc.
 It shall implement appropriate network management and diagnostic tools
to monitor the security and health of the network.
 All network assets and network management tools shall be configured in
accordance with best practices.
Network inventory

 The Owner shall maintain an inventory of all network components and

classify the same as per the Risk Management Policy.
 Up-to-date network diagrams shall be maintained at all times.
 Any change to the network design and components shall be carried out as
per the Information Systems Change Management Policy.
Access control

 All network assets shall be physically protected as per the Physical and
Environmental Policy.
 All network assets shall be logically secured and configured in accordance
with the vendor’s advice and best practices.
 All networks shall be secured from outside networks, Internet and third
party networks.
 Access to network management and diagnostic tools shall be provided to
authorize users only.
 Access, for users, to the network shall be as per the User Management
Policy and the Password Policy.
 Access, for external users, shall be granted only after carrying out a formal
risk assessment and shall be as per the User Management Policy and the
Password Policy.
 Interconnection between an organization and third party network shall be
implemented only after carrying out a formal risk assessment and
authorization.

202
Communication

 Data passing through the network shall be classified as per the Asset
classification and Handling Policy. Data classified as “Highly Critical” shall
be transmitted through an encrypted channel, wherever appropriate and
proper security measures shall be enforced.
 Dial-out connections from desktops / laptops, while connected to an
organization’s network, shall be prohibited. Any dial out connections, if
required, shall be with the approval of the Owner.
 Remote access to an organization’s network shall be permitted after
authorization from the Owner and adequate security measures shall be
enforced for the same.
 External users shall be permitted to remotely log into an organization’s
network to provide maintenance and support services only after proper
approval from the owner.
Monitoring

 Audit Trail logs shall be generated for all network assets as per the Audit
Trail Policy.
 Appropriate date and time stamping controls shall be implemented to
ensure accuracy and analysis of the network logs.
 All network resources, services, access and their usage shall be monitored
by the Owner.
 All traffic through the gateways shall be monitored for possible misuse and
intrusions.
 Intrusion Detection System (IDS) logs shall be reviewed for malicious
activities.
Change of passwords

Where applicable, all default passwords for access to various network

components shall be changed before moving to the production environment.

Controls over network services

All network services shall be controlled. Only those services which are necessary
for an organization’s business shall be enabled.

203
Control techniques

1. Change passwords frequently

Password is the key to getting access to any server, database or application.

Password policy should be in place which should address following areas:

The objective of the policy is to ensure that

 Access to the information assets is restricted to authorized users only.

 The users are identified through unique user IDs to establish
accountability and non-repudiation.
 Good password procedures are enforced through the systems.
 The users are made aware about their responsibilities for selection and
usage of their user IDs and passwords.
The policy shall apply to

 All employees/users’ information assets including external support

agencies, that operate, manage, use or access, in any form;
 All systems, applications, databases, Network components and other IT
assets.
The policy shall address following issues:

Initial/default passwords

 All initial passwords shall be changed at the time of first login. Wherever
possible, this shall be enforced through the system, otherwise, it shall be
followed by the users procedurally.
 In case of certain critical assets, where the default passwords for certain
login-IDs cannot be changed or the default passwords are deemed
necessary, then in such cases, specific exceptions shall be authorized by
CTO/ CEO.
Password complexity

All passwords used to gain access to the information assets shall be of sufficient
complexity to ensure that they are not easily guessable and must have the
characteristics such as length of the password and its type.

204
Password change management

 Passwords shall be changed immediately on the change in composition of

the team owning / sharing that password e.g. root password shall be
immediately changed if there is a change in the team of system
administrators.
 Password aging times may be implemented in a manner commensurate
with the criticality and sensitivity of the information asset but shall not
exceed three months.
Non-disclosure of passwords

 Passwords must not be disclosed to other users or individuals.

 Users must not allow other users or individuals to use their password,
including when on vacation.
 Passwords must not be written down, posted, or exposed in an insecure
manner such as on a notepad or posted on the workstation.
Account lockout and reactivation

 Lockout
 Locking of Passwords for unsuccessful login attempts will be applicable to
respective business applications.
 In case of critical logins, exceptions must be documented and approved by
CTO/CEO.
Reset of password

Properly authorized Password Reset Requests shall be submitted to the security

administrator in written format and the same shall be logged.

User responsibility

Users shall not use the “Password Remember” feature of applications.

Access to information assets shall be through authorized user IDs allocated as per
the User Management Policy.

Users shall be responsible for the proper use and protection of their passwords
and access to the Information Assets through their User Ids.

205
 2. Implement external network filtering

For this purpose, necessary firewalls (software and hardware) should be in use.
In the Firewall software, necessary rules should be defined and reviewed
periodically.

3. Review user accounts and access lists

Review user accounts and access lists to systems, applications, network devices
and datacenters.

3.4.4 Let us sum up

As every bank is using IT infrastructure sufficiently it is imminent to have a well-

defined IT Security Policy in place. The IT Security policy should cover the
procedures for safe guarding information and IT assets. The policy also should
define the owners of data and IT infrastructures in an organization. The IT Policy
should cover the security of Operating systems, Database systems and Computer
Networks of an organization.

3.4.5 Key words

Database, OS, Network, Security, Ownership, CTO, CEO

3.4.6 Key to know your progress

1. An IT security policy of an organization need not cover which one of the

following areas?

a. Operating system b. Database system

c. Network system d. Change Management

2. A password policy need not advocate which one of the following?

a. Non-disclosure of passwords b. Reset of password account

c. Lockout and reactivation d. Sharing password

3. In case of Network system security policy who should be the owner of the
policy?

a. Chief Technology Officer b. Network Engineer

c. Data Centre Head d. Chief Executive officer

206
 4. For managing the users which one of the following control techniques may
be used?

a. Change password frequently b. Implement External Network

Filtering
c. Review User Accounts and d. All the above
Access Lists

5. Database system security policy need not cover which one of the following
areas?

a. To manage database security b. To prevent database from

external and internal threats
c. To ensure high confidentiality, d. To carry out maintenances in
integrity and availability of database periodically
database systems

Key to questions

1.d 2.d 3.a

4.d 5.d

3.4.7 Terminal questions

 What are the objectives of an IT security policy?

 What are the key areas that should be addressed in the password
management policy?
 What are the areas that should be covered in a Database management
policy?

207
3.5 Lesson No. 5: IT Laws and Global Initiatives

3.5.1 Objectives
3.5.2 Introduction: The Information Technology Act, 2000 and amendments in
2008
3.5.3 Implications of IT Act 2000 and
The Payment and Settlement System Act 2007
3.5.4 Impact on Other Acts
3.5.5 Initiatives to Prevent Cyber Crime
3.5.6 Internal Cooperation
3.5.7 International Organizations Battling Cyber Crime
3.5.8 Let us sum up
3.5.9 Key words
3.5.10 Check your progress-questions
Key to check your progress
3.5.11 Terminal questions

208
3.5.1 Objectives

The objectives of this lesson are to understand

 Information Technology Act 2008 and Other applicable Acts,

 Legislative, law enforcement and Judicial initiatives,
 International cooperation and global initiatives - challenges
3.5.2 Introduction

The Information Technology Act has been passed in 2000 to give legal
infrastructure for E-commerce in India. It was further amended in 2008. The Act
assures legal sanctity to all electronic records and other activities carried out by
electronic means. In view of the growth in transactions and communications
carried out through electronic records, the Act seeks to empower government
departments to accept filing, creating and retention of official documents in a
digital format. It allows acceptance of the contract through electronic media.

Highlights of the Act are as under:

 To authenticate the electronic record by affixing a digital signature and

verify records by usage of the public key of a subscriber;
 Any information rendered or made available in electronic form is deemed
to have been made available as per the governance rules stated under any
Act;
 Provides for recognition of digital signature and also recognizes the
certifying authorities for granting of licenses to issue Digital Signature
Certificates.
 Provides for penalties and adjudication for various offences. The penalties
for damage to computer, computer systems etc. has been fixed as damages
by way of compensation not exceeding Rs. 1,00,00,000 to affected
persons.
 Provides for appointment of any officer not below the rank of a Director to
the Government of India or an equivalent officer of state government as an
Adjudicating Officer who shall adjudicate whether any person has made a
contravention of any of the provisions of the said Act or rules framed there
under. The said Adjudicating Officer has been given the powers of a Civil
Court.
 States the various offences and that the said offences shall be investigated
only by a Police Officer not below the rank of the Deputy Superintendent

209
 of Police. These offences include tampering with computer source
documents, publishing of information, which is obscene in electronic
form, and hacking.
 Also proposes to amend the Indian Penal Code, 1860, the Indian Evidence
Act, 1872, The Bankers' Books Evidence Act, 1891, The Reserve Bank of
India Act, 1934 to make them in tune with the provisions of the IT Act.
3.5.3 Implications of IT Act 2000/2008

 E-mail would now be a valid and legal form of communication in our

country that can be duly produced and approved in a court of law.
 Companies shall now be able to carry out electronic commerce using the
legal infrastructure provided by the Act.
 Digital signatures have been given legal validity and sanction in the Act.
 Throws open the doors for the entry of corporate companies in the
business of being Certifying Authorities for issuing Digital Signatures
Certificates.
 Now allows Government to issue notification on the web thus heralding e-
governance.
 Enables the companies to file any form, application or any other document
with any office, authority, body or agency owned or controlled by the
appropriate Government in electronic form by means of such electronic
form as may be prescribed by the appropriate Government.
 Also addresses the important issues of security, which are so critical to the
success of electronic transactions. The Act has given a legal definition to
the concept of secure digital signatures that would be required to have
been passed through a system of a security procedure, as stipulated by the
Government at a later date.

The Payment and Settlement System Act.

The PSS Act, 2007 provides for the regulation and supervision of payment
systems in India and designates the Reserve Bank of India (Reserve Bank) as the
authority for that purpose and all related matters. The Reserve Bank is
authorized under the Act to constitute a Committee of its Central Board known as
the Board for Regulation and Supervision of Payment and Settlement Systems
(BPSS), to exercise its powers and perform its functions and discharge its duties
under this statute. The Act also provides the legal basis for “netting” and
“settlement finality”. This is of great importance, as in India, other than the Real

210
Time Gross Settlement (RTGS) system all other payment systems function on a
net settlement basis.

3.5.4 Impact on other Acts

Negotiable Instruments Act 1881

Amendment has been made to redefine the cheque and include cheque in
electronic form. Cheque is defined under the Act to include the electronic image
of a truncated cheque and a cheque in the electronic form. The Act has given
explanation to elaborate the meaning of truncated cheque and cheque in
electronic form.

A cheque in the electronic form means a cheque which contains the exact
mirror image of a paper cheque, and is generated, written and signed in a secure
system ensuring the minimum safety standards with the use of digital signature
(with or without biometrics signature) and asymmetric crypto system;

A truncated cheque means a cheque which is truncated during the course of a

clearing cycle, either by the clearing house or by the bank whether paying or
receiving payment, immediately on generation of an electronic image for
transmission, substituting the further physical movement of the cheque in
writing.

Necessary amendments have been made in the Act related to the rights and
responsibilities of the Collecting Banker and Paying Banker. These amendments
are explained below:

 Where an electronic image of a truncated cheque is presented for payment,

the drawee bank is entitled to demand any further information regarding
the truncated cheque from the bank holding the truncated cheque in case
of any reasonable suspicion about the genuineness of the apparent tenor of
instrument, and if the suspicion is that of any fraud, forgery, tampering or
destruction of the instrument, it is entitled to further demand the
presentment of the truncated cheque itself for verification.
 Where the cheque is an electronic image of a truncated cheque, even after
payment the banker who received the payment shall be entitled to retain
the truncated cheque. Physical cheques are retained with the Bank making
the payment.
 Where the cheque is an electronic image of a truncated cheque, any
difference in apparent tenor of such electronic image and the truncated
cheque shall be a material alteration and it shall be the duty of the bank or

211
 the clearing house, as the case may be, to ensure the exactness of the
apparent tenor of electronic image of the truncated cheque while
truncating and transmitting the image.
 It shall be the duty of the banker who receives payment based on an
electronic image of a truncated cheque held with him, to verify the prima
facie genuineness of the cheque to be truncated and any fraud, forgery or
tampering apparent on the face of the instrument that can be verified with
due diligence and ordinary care.
Necessary amendments have been made to Indian Evidence Act, Companies Act,
Banking Regulation Act, and Income Tax Act to include electronic records,
documents and instruments. In view of these changes, all returns are filed
electronically, relating to Income Tax, Sales Tax, Excise and Companies Act.

3.5.5 Initiatives to prevent cyber crime

Infrastructure facilities

The Directorate of Forensic Science under the Ministry of Home Affairs, with its
three Computer Forensic Labs (CFLs) and three offices of Government Examiner
of Questioned Documents (GEQDs) provides the necessary forensic analysis
expertise to the Law enforcement agencies. Most of the States also have Forensic
Science Laboratories, and some of the cyber crime cells at the state police stations
also have limited facilities and expertise to handle common cyber crimes related
to emails, pornography, hacking etc.

Two technical resource centers, one focusing on computer disk forensics and the
other on steganography, set up at Center for Development of Advanced
Computing (CDAC) Thiruvananthapuram and Kolkata respectively, have been
sponsored by DIT. These centers, besides research also facilitate law enforcement
agencies in cyber crime investigations.

Training

For successful prosecution of cyber crimes it is essential to have adequate and

cogent digital evidence against a suspect and then link this information to the
suspect in a legally acceptable manner. Information stored in digital form is
transient in nature and therefore law enforcement personnel require specialized
skills to seize, collect, analyze and report digital evidence in a Court of Law.

Many organizations like National Crime Records Bureau (NCRB)-Delhi, CBI

Academy- Ghaziabad, National Police Academy -Hyderabad etc. conduct training
programs, generally on computer software packages and fundamentals of cyber
forensics. Some collaborative training programs with Federal Bureau of

212
Investigation (FBI-US) are also conducted. Indian-Computer Emergency
Response Team (CERT-IN), Computer Certifying Authorities (CCA), Central
Forensic Science Lab (CFSL) etc., conduct some subject specific courses on Cyber
Security, Cyber Laws, Cyber Crimes & related issues.

Police personnel are also frequently transferred to hold different assignments &
hence there is a continuous need for training in the enforcement department.
Also, as most of the crimes involve use of computers & electronic gadgets at some
stage of committing a crime or the other, basic knowledge & training in digital
evidence is always desirable and advantageous for the law enforcement
personnel. There is an urgent need for conducting more training programs and
there is scope for public private partnership as well as international cooperation
in this area.

3.5.6 International cooperation

Cyber Crime cases are covered under Mutual Legal Assistance Treaties (MLATs),
which India has with various countries. Moreover, India is a member of Cyber
Crime Technology Information Network System (CTINS), which is a Japanese
Govt. initiative for mutual exchange of information regarding cyber crimes
among the member countries, which is advisory in nature. This system is
presently installed in the Cyber Crime Investigation Cell of Central Bureau of
Investigations (CBI), which is also 24x7 point of contact for Sub Group of Hi-tech
Crimes of G-8 Countries.

Industry initiatives

The two industry associations in India which are participating in major

promotional activities in the IT sector are, National Association of Software and
Service Companies (NASSCOM) and Manufacturer Association of Information
Technology (MAIT). MAIT, initially set up for purposes of scientific, educational
and IT industry promotion, has emerged as an effective and dynamic
organization with majority of the members coming from the Hardware Sector, by
turnover, and the remaining from Training, Design, R&D and the associated
services sectors of the Indian IT Industry. MAIT’s charter is to develop a globally
competitive Indian IT Industry, promote the usage of IT in India, strengthen the
role of IT in national economic development and promote business through
international alliances. The organization’s special focus is on domestic market
development and attracting foreign investment in the Indian IT Industry.

Information Security remains one of the key priorities for the Indian IT Enabled
Services –Business Process Outsourcing (ITES-BPO) industry, a challenge that
has to be overcome in order to firmly establish the sector's credentials as a

213
trusted sourcing destination. Recognizing the fact that security breaches in
leading BPO firms can put a spanner in India's successful outsourcing run, the
industry has come forward to devise roadmaps and outline strategies that will
help create an impregnable Information Security environment. The country, in
fact has been working very closely with representatives of the US market, the
largest outsourcer of processes to India.

Two years ago, this collaborative effort bore fruit as the Indian IT-ITES industry,
represented by NASSCOM and the US market, represented by the Information
Technology Association of America (ITAA), came together to launch the
prestigious "India-US Information Security Summit." Cyber laws, cyber security,
cybercrime, etc. are important issues discussed in several seminars and
workshops conducted periodically by the industry associations.

A joint initiative of NASSCOM and Mumbai Police, the Mumbai Cyber Lab is a
unique initiative of Police-Public collaboration to facilitate investigations of cyber
crime; some of its the broad objectives are to:

 Promote collaboration among Mumbai Police, Information Technology

industry, academia and concerned citizens to address cyber crime and its
related issues.
 Develop pro-active strategies for anticipating trends in cyber crime and
formulating technical and legal responses on various fronts.
 Facilitate cyber crime investigation training among police officers.
 Develop cyber crime technology tools for criminal investigation. Improve
awareness of cyber crime among the people and enhance Information
Security in Mumbai city in general.
 Act as Resource Center for other police organizations in the country.
3.5.7 International organizations battling cyber crime

The global world network which united millions of computers located in different
countries and opened broad opportunities to obtain and exchange information is
used for criminal purpose more often nowadays. The introduction of electronic
money and virtual banks, exchanges and shops became one of the factors of the
appearance of a new kind of crime transnational computer crimes. Today law
enforcements face tasks of counteraction and investigation of crimes in a sphere
of computer technologies and cyber crimes. Still, the definition of cyber crimes
remains unclear to law enforcement, through criminal action on the Internet
pose great social danger. Transnational characters of these crimes give the

214
ground today in the development of a mutual policy to regulate a strategy to fight
cyber crime.

One of the most serious steps to regulate this problem was the adoption of Cyber
Crimes Convention by European Council on 23rd November 2001, the first ever
agreement on juridical and procedural aspects of investigating and cyber crimes.
It specifies efforts coordinated at the national and international levels and
directed at preventing illegal intervention into the work of computer systems. The
convention stipulates actions targeted at national and international level,
directed to prevent unlawful infringement of computer systems functions. The
convention divides cyber crimes into four main kinds: hacking of computer
systems, fraud, forbidden content and breaking copyright laws. By ways and
measures these crimes are specific, have high latency and low exposure levels.
There is another descriptive feature of these crimes, they are mostly committed
only with the purpose to commit other more gravy crimes, for example, theft
from bank accounts, getting restricted information, counterfeit of money or
securities, extortion, espionage, etc.

There are various initiatives taken by organizations worldwide from time to time
to control the growing menace of cyber crime. Some of the initiatives taken by
various organizations are-

The United Nations

A resolution on combating the criminal misuse of information technologies was

adopted by the General Assembly on December 4th, 2007 (A/res/55/63), 58
including the following:

 States should ensure that their laws and practice eliminate safe havens for
those who criminally misuse information technologies.
 Legal systems should protect the confidentiality, integrity and availability
of data and computer systems from unauthorized impairment and ensure
that criminal abuse is penalized.
The Council of Europe

Convention on Cyber Crime of 2001 is a historic milestone in the combat against

cyber crime. Member states should complete the ratification and other states
should consider the possibility of acceding to the convention or evaluate the
advisability of implementing the principles of the convention. The council of
Europe established a Committee of experts on crime in Cyber-space in 1997. The
committee prepared the proposal for a convention on Cyber-crime, and the

215
Council of Europe convention on Cyber Crime was adopted and opened for
signatures at a conference in Budapest, Hungary in 2001.

The European Union

In the European Union, the Commission of the European Communities

presented on April 19, 2002 a proposal for a council framework decision on
attacks against information systems. The proposal was adopted by the Council in
2005 and includes Article 2: Illegal access to Information Systems, Article 3:
Illegal Systems Interference and Article 4: Illegal Data Interference.

ASEAN

The Association of South East Asian Nations (ASEAN) had established a high
level ministerial meeting on Transnational Crime. ASEAN and China would
jointly pursue joint actions and measure and formulate cooperative and
emergency response procedures for purposes of maintaining and enhancing
cyber-security and preventing and combating cybercrime.

APEC

The Ministers and leaders of the Asia Pacific Economic Cooperation (APEC) had
made a commitment at a meeting in 2002 which included, “An endeavor to enact
a comprehensive set of laws relating to cyber-security and cybercrime that are
consistent with the provisions of international legal instruments, including
United Nations General Assembly Resolution 55/63 and the Convention on Cyber
Crime by October 2003.”

G-8 states

At the Moscow meeting in 2006 for the GO Justice and Home Affairs Ministers
discussed cybercrime and issues of cybercrime. In a statement it was emphasized,
“We also discussed issues related to sharing accumulated international
experience in combating terrorism, as well as comparative analysis of relevant
pieces of legislation on that score. We discussed the necessity of improving
effective countermeasures that will prevent IT terrorism and terrorist acts in this
sphere of high technologies. For that it is necessary to set a measure to prevent
such possible criminal acts, including on the sphere of telecommunication. That
includes work against the selling of private data, counterfeit information and
application of viruses and other harmful computer programs. We will instruct our
experts to generate unified approaches to fighting cyber criminality, and we will
need an international legal base for this particular work, and we will apply all of
that to prevent terrorists from using computer and internet sites for hiring new
terrorist and the recruitment of other illegal actors.”

216
3.5.8 Let’s us sum up

Information Technology has proliferated in every sphere of an economy.

However, with its progress it also gave birth to various cyber crimes across the
world. Countries worldwide have come up with their own laws to combat the
crimes so as in India too. Information Technology Act has been enacted in 2000,
further amended in 2008. Most of the cyber crimes are brought under its ambit.
There are various implications of IT Act. IT Act has also affected various other
Acts such an Indian Penal Code, 1860, the Indian Evidence Act, 1872, The
Bankers' Books Evidence Act, 1891 and The Reserve Bank of India Act, 1934.
There are various initiatives taken by Indian Government to combat cyber crimes
and online frauds. Internationally too, various organizations have come up with
different measures to counter the cyber crimes and online frauds.

3.5.9 Key Words

CFLs, GEQDs, CDAC, DIT, CBI, NCRB, FBI, CERT-IN, CCA, CFSL, MLATs,
CTINS, NASSCOM, MAIT, ITES-BPO, IT-ITES , ITAA, ASEAN, APEC

3.5.10 Check your progress question

1. CFL means ------------

2. GEQDs means -----------
3. Which Act is not impacted after the introduction of Information
Technology Act 2000
a. Sale of Goods Act b. Negotiable Instruments Act
c. Income Tax Act d. Companies Act 1956
4. In Negotiable Instruments Act, no amendment is made as to
a. Duties of collecting banker b. Duties of paying banker
c. Definition of cheque d. Definition of Promissory note
5. Definition of cheque has been amended for which one of the following
purposes
a. To facilitate clearing of cheques b. To facilitate E-commerce
using Cheque truncation
methodology
c. To facilitate internet banking d. To discontinue the clearing of
MICR cheques

217
Key to check your progress

1. Computer Forensic 2. Government 3.a

Labs Examiner of
Questioned
Documents
4.d 5.a

3.5.11 Terminal questions

 What are the important areas that have been addressed in Information
Technology Act -2008?
 What changes have been brought in the Negotiable Instruments Act
related to the duties of a Collecting Banker and a Paying Banker?

218
Unit 4: IT Management and Best Practices

Lesson No. 1 IT Governance

Lesson No. 2 Operations Management

Lesson No. 3 Systems and Functions Performance

Lesson No. 4 IT Infrastructure Management

Lesson No. 5 Important Terminologies

219
4 Unit 4: IT Management and Best Practices

4.1 Lesson No. 1 IT Governance

4.1.1 Objectives
4.1.2 Introduction
4.1.3 Importance of IT Governance in Banks
4.1.4 Management Control Framework
4.1.5 IT Resource Management
4.1.6 Application Management
4.1.7 New areas of Application – Data Analytics in Banks
4.1.8 Change Management
4.1.9 Capacity Planning & Monitoring
4.1.9.1 Capacity Management
4.1.9.2 Availability Management
4.1.9.3 Supplier Management
4.1.9.4 Event Management
4.1.10 Let us sum up
4.1.11 Key words
4.1.12 Check your progress-questions
Key to Check your progress
4.1.13 Terminal questions

220
4.1.1 Objectives

The objectives of this lesson are to understand governance issues about IT like

 Management & control framework

 Capacity planning and monitoring
 Change management process
This lesson would cover all the managerial aspects related to the technology in
Banks. From data resource management to change management processes, IT
Governance is must. This lesson would explain these processes in greater details.

4.1.2 Introduction

It is essential to understand the meaning of governance before we talk about IT

Governance. Governance is setting up of standards, best business practices, rules
and procedures and adhering to it consistently for effectively managing the
operations of an organization.

Every organization should have corporate governance philosophy in place to

sustain and grow in a competitive environment. Information Technology (IT) has
become integral part of every organization including Banks. It is therefore
obvious that IT governance too has to be in place and well aligned with the
corporate governance.

4.1.3 Importance of IT governance in banks

In India, Banks are at various stages in technology adoption. .While all the
scheduled commercial banks in the private and public sector have put in place
Core Banking Solutions for handling business operations, in the Co-operative
sector, the Banks are at various stages of technology adoption. While scheduled
Co-operative Banks have implemented core banking, many urban co-op banks
and DCCBs have been in the process of migrating from total branch automation
to Core banking Solution. NABARD facilitates such CBS in nearly 200 DCCBs.

The proliferation of delivery channels such as ATMs, internet Banking and

Mobile Banking and the penetration in urban and semi-urban areas speaks
volumes about the role technology has played in the Indian Banking. The
payment system in India is undergoing phenomenal change. From manual
clearing to Electronic Clearing, Customers have various options of settling
payment claims such as ECS (Dr & Cr), NEFT, RTGS, National Clearing and Swift
clearing. Banking products offered to customers too are driven by the technology.
IT governance can ensure that the benefits of technology should reach masses

221
with greater reliability with minimum disruptions and in turn benefit
organizations not only for business growth but also for exercising effective
controls for maintaining qualitative growth.

4.1.4 Management control framework

In IT governance following are the stakeholders:

 Board of Directors
 IT Strategy Committees
 CEOs
 Business Executives
 Chief information officers (CIOs)
 IT Steering Committees (operating at an executive level and focusing on
priority setting, resource allocation and project tracking)
 Chief Risk Officers
 Risk Committees
IT governance envisages total support from the Board of Directors in adhering to
it on a continuous basis. Besides Board of Directors, top management who are at
the helm of affairs and are in involved in the decision making should also have
appropriate appreciation of the technology and the involvement and
commitment.

Periodic meetings amongst all the stakeholders are required to achieve following
objectives:

 Ensuring that the management has put an effective strategic planning

process in place
 Ensuring that the IT organizational structure complements the business
model and its direction
 Monitoring the method that management uses to determine the IT
resources needed to achieve strategic goals and provide high-level
direction for sourcing and use of IT resources
 Becoming aware about exposure towards IT risks and controls. And
evaluating effectiveness of management’s monitoring of IT risks
 Establish business priorities and ensure that resources are allocated to
enable effective IT performance.

222
The balanced card technique helps measure and translate business strategies into
financial and non-financial factors.

4.1.5 IT resource management

IT resources have to be utilized such that an organization would get the highest
rate of return from the assets in which it has made huge investment. The
resources not only include hardware and software deployed at branches and data
centres, but also employees who have specialized skills in managing the hardware
and software.

The management of IT resources cannot be done in-house totally. This is because

there are certain specialized areas which require assistance from the people well
versed in the area. The database management and the network management in
many organizations are outsourced. IT companies who have trained skill sets
undertake the outsourced activities. They provide support at different levels such
as level-1, level-2 and level-3 support. Level -1 support is for carrying the routine
activities. The level-2 support is for handling activities which are of periodic
nature. Level-3 support is provided in case of breakdown of a system. The
specialized resources providing level-2 and level-3 support are pooled at a central
place by such companies and are made available as per the needs of an
organization.

For maintenance of the hardware as well, usually organizations depend on the

external vendors. The maintenance is of two types: Preventive maintenance and
repair in case of a breakdown or a failure. Maintenance is required not only for
hardware and software, but also for the infrastructure set up which includes data
centre, firefighting systems, precision air conditioning , UPSs , generators etc.

Another important aspect in IT resources management is e obsolescence of the

technology. The continuous up gradations make the existing technology
outdated. The organizations not only have to keep eye on the developments in the
industry in terms of new technology, but also have to plan for it. Obsolescence
policy has to be in place. As per their internal policies, Banks/organizations can
replace the existing assets by purchasing new ones. Continuous updations of
course bring about greater productivity. The productivity would be in terms of
electricity consumption, reduced processing time and utilizing the resources such
as memory, CPU, hard disc etc.; more efficiently.

Effective management of hardware life-cycles, software licenses, service contracts

and permanent & contracted human resources is a critical success factor. It is
critical not only for optimising the IT cost base, but also for managing changes,
minimising service incidents and assuring a reliable service quality.

223
Out of the IT assets, human resources represent the biggest part of the cost base.
It is most likely to increase on a unit basis. It is essential to identify skill set
requirements through demarcation of job roles and responsibilities and an
assessment of required core competencies in the workforce. An effective
recruitment, retention and training programme is necessary, to ensure that a
bank has the skills to utilize IT resources effectively, so as to achieve the stated
objectives.

Ability to balance the cost of infrastructure assets with the quality of service
(including those provided by outsourced external service providers) is critical to
successful value delivery.

 Educate executives on IT capabilities, costs and technology issues.

 Provide insights and clarify and demonstrate IT value.
 Proactively seek the ways to increase contribution of IT value.
 Establish a strong IT project management.
 Drive definition of business requirements and own them.
 Sponsor IT projects.
 Approve, control and monitor service levels.
 Assess and publish operational benefits of owned IT investments.
 Allocate business resources required to ensure effective IT Governance
over projects and operations.
 Provide IT infrastructure that facilitate creation and sharing of business
information at an optimal cost.
 Ensure availability of suitable IT resources, skills and infrastructure to
meet strategic objectives.
 Ensure that critical roles for deriving maximum IT value are appropriately
defined and staffed.
4.1.6 Application management

Banks would be using different types of applications for carrying out the business
activities. The applications are developed in-house or purchased from the reputed
vendors. It can be of following types:

 Financial application such as core banking solutions, customer

relationship management software, Human resources management
software.

224
  Infrastructure applications.
 Messaging and collaborative applications such as MS-Office or mailing
systems.
 Web portals or web applications.
 Contact centre applications.
 Function-specific applications for the specialized activities such as D-mat,
Treasury, Trade finance, etc.
The applications include any one of the above solutions as well as common
purpose applications such as Microsoft office, anti-virus software, network
management software etc.

It involves handling and management of application as it goes through the entire

life-cycle. The life-cycle encompasses both application development and
application management activities. Sub-activities that can be defined for
application management functions are:

Application Development: It is concerned with activities needed to plan,

design and build an application that ultimately is used by a part of an
organization to address business requirements. This also includes application
acquisition, purchase, hosting and provisioning.

Application Maintenance/Management: It focuses on activities that are

involved with the deployment, operation, support and optimization of an
application. Application Management related functions may include the
following:

 Managing operational applications, whether vendor developed, or off-the-

shelf or in-house.
 It acts as a custodian of technical knowledge and expertise related to
managing and supporting applications. It ensures that the technical
knowledge and expertise required to design, develop, test, manage and
improve IT services are identified, developed and refined.
 It ensures that appropriate resources are effectively trained and deployed
to deliver, build, transit, operate and improve the technology required to
manage and support IT services.
 It defines and executes training programmes.
 It documents skill sets available within an organization and skills that
need to be developed to manage application management as a function.

225
  It defines standards to be adapted when defining new application
architecture and involvement in design and building of new services.
 It assesses the risk involved in an application architecture.
 It records feedbacks on availability and capacity management activities.
 It designs and performs tests for functionality, performance and
manageability of IT services.
 It defines and manages event management tools.
 It participates in incident, problem, performance, change and release
management, and in resource fulfillment.
 It provides information on the Configuration Management System.
4.1.7 New areas of Application

Data analytics (DA)

Data analytics (DA) is the process of examining data sets in order to draw
conclusions about the information they contain, increasingly with the aid of
specialized systems and software. Data analytics technologies and techniques are
widely used in commercial industries to enable organizations to make more-
informed business decisions and by scientists and researchers to verify or
disprove scientific models, theories and hypotheses.
In today’s data-driven world, data analytics play a crucial role in informed
decision making to drive organizations forward, improve efficiency, increase
returns, and in turn achieve business goals. For the uninitiated, data analytics is
the process of discovery, interpretation, and conveying meaningful insights from
the data to help in the decision-making process.
According to the latest Worldwide Semi-Annual Big Data and Analytics Spending
Guide from one of the top research firms, worldwide revenues for big data and
business analytics will go up to more than $203 billion in 2020. The applications
for data analytics are significantly growing day by day because of various
innovations in the field. Out of this $130 billion market share, the banking sector
leads revenues with a contribution of $17 billion in 2016.
In the Banking and Financial Services sector, through data analytics, institutions
can monitor and assess large amounts of customer data and create
personalized/customized products and services specific to individual consumers.
For example, when a customer buys a vehicle, the bank sends promotional offers
of insurance to cover the customer’s vehicle. In the future, such applications
could be expanded even further. One way this could happen is if a customer got a
large bill, the bank could offer an EMI conversion or a loan to cover the cost.
Some of the areas where banking and financial institutions are increasingly using
data analytics include:

226
  Fraud detection

 Managing customer data

 Risk modelling for investment banks

 Personalized marketing

 Lifetime value prediction

 Real-time and predictive analytics

 Customer segmentation

 Customer spending patterns

 Transaction channel identification

 Customer feedback analysis and application

The importance of data analytics in the banking and financial services sector has
been realized at a greater scale and most of the established banks have already
started reaping the benefits.
For instance, an American bank used machine learning to comprehend the
discounts that its private bankers were providing to customers. Bankers were
claiming that they offered discounts only to important/ valuable customers.
However, when the data was assessed through analytics, it showed a different
story. It showed the discount patterns which were not needed, and which could
easily be corrected. The bank adopted the changes, leading to an increase in
revenues by 8% within few months.
A leading industry survey conducted for 20 banks across the EMEA region
revealed that there were certain areas of improvement, which if worked upon
could deliver great returns. Some of the areas included were:
 Aligning the priorities of analytics to the strategic vision of the banks

 Incorporating decision making with analytics practices

 Developing advanced-analytics assets on a large scale and investing in

the roles which are critical to analytics

 Enabling the user revolution with clearly defined data ownership and
maintenance of high-quality data

227
To gain competitive advantage, banks should recognize the importance of data
science, incorporate it in their decision-making process, and develop strategies
based on the actionable insights from their customers data. Start with small,
doable steps to integrate data analytics into operating models and stay ahead of
competition.
4.1.8 Change management

This process provides guidelines which can be used by banks for handling
changes to ensure that the changes are recorded, assessed, authorized,
prioritized, planned, tested, implemented, documented and reviewed in a
controlled manner and environment. The primary objectives of change
management procedures are to ensure assessment of:

 Risks
 Change authorization
 Business Continuity
 Change impact
Change management policy has to be in place. The objective of the policy should
be

 To ensure a high level of integrity and correctness of information assets.

 To manage and control changes to the information assets
 To ensure that changes are documented and effectively reported
 To manage technology obsolescence
In case of technology, any change brought about without care and caution would
lead to a disaster. It is therefore necessary to identify the areas where change
should be brought about and set up a process for implementing such change. In
case of Core Banking Application, every new release received from a vendor has
to be tested by the UAT (User Acceptance Team) before it is put to use on
production servers. The testing should ensure that the change must give desired
results as per the business requirements document and would not impact the
existing functioning. In cases where change is to be made in configurations for
better performance such as changes in a database, it has to be implemented in a
systematic manner. Configurations are tested in the test environments and then
implemented in live areas. Adding new IP address or adding new hardware such
as desktop or printer is also a change. Upgraded versions received are also to be
handled as per the change management policy.

228
  A change management process should be established, which covers all
types of change.
 The change management process should be documented, and include
approving and testing changes to ensure that they do not compromise
security controls, performing changes and signing them off to ensure they
are made correctly and securely, reviewing completed changes to ensure
that no un-authorized changes have been made. The following steps
should be taken prior to changes being applied to the live environment:
 Change requests should be documented (for e.g., on a change request
form) and accepted only from authorized individuals and changes
should be approved by an appropriate authority.
 The potential business impacts of changes should be assessed (for
e.g., in terms of the overall risk and impact on other components of
an application).
 Changes should be tested to help to determine the expected results
(for e.g., deploying the patch into the live environment).
 Changes should be reviewed to ensure that they do not compromise
security controls (for e.g., by checking software to ensure it does not
contain malicious code, such as a Trojan horse or a virus).
 Back-out positions should be established so that the application can
recover from data failed changes or unexpected results.
 Changes to an application should be performed by skilled and competent
individuals who are capable of making changes correctly and securely and
signed off by an appropriate business official.
4.1.9 Capacity planning and monitoring

In Banks where core banking is implemented, the capacity installed has to be

continuously monitored so that it does not reach to its saturated capacity. At a
datacentre, Banks have the hardware in the form of production servers,
application servers and database systems. The hardware is procured by taking
into account existing business of a Bank and the likely business level it would
achieve in the next 3-4 years. The hardware should take care of the total business
so calculated. Similarly the bandwidth required for leased line connectivity is to
be evaluated depending on the bandwidth required for different kinds of
applications. This evaluation is nothing but the evaluation of capacity required
for smooth running of the business operations without any disruptions. The
capacity of the core banking software is also to be evaluated by carrying out a

229
benchmarking exercise. In capacity planning therefore following steps are
involved:

Step 1: Select an appropriate capacity planning process owner

The first step in developing a robust capacity planning process is to select an

appropriately qualified individual to serve as a process owner. In large
organizations, a group of people in the form of committee is assigned this kind of
role. A person/committee is responsible for designing, implementing and
maintaining the processes and is empowered to negotiate and delegate to
developers and other support groups.

First and foremost, this individual/committee must be able to communicate

effectively with developers because much of the success and credibility of a
capacity plan depends on accurate input and constructive feedback from
developers to infrastructure planners. It also must have knowledge about systems
and network software and components, as well as the configurations details of
the same.

Step 2: Identify the key resources to be measured

Once the process owner is selected, one of his or her first tasks is to identify the
infrastructure, resources that must have their utilizations or performances
measured. This determination is made based on current knowledge about which
resources are most critical to meeting future capacity needs. In many
organizations, these resources revolve around network bandwidth, the number
and speed of server processors, or the number, size or density of disk volumes
comprising centralized secondary storage. A more complete list of possible
resources are as follows:

 Network bandwidth
 Centralized disk space
 Centralized processors in servers
 Tape drives
 Centralized memory in servers
 Centralized printers
 Desktop processors
 Desktop disk space
 Desktop memory

230
Step 3: Measure the utilizations or performance of the resources

The resources identified in Step 2 should now be measured as to their utilizations

or performance. These measurements provide two key pieces of information.

 A utilization baseline from which future trends can be predicted and

analyzed.
 The quantity of excess capacity available for each component.
For example, a critical server may be running at an average of 60% utilization
during peak periods on a daily basis. These daily figures can be averaged and
plotted on a weekly and monthly basis to understand the utilization trend.

Resource utilizations are normally measured using different tools. Each tool
contributes a different component to the overall utilization matrix. One tool may
provide processor and disk channel utilizations. Another may supply information
on disk-space utilization; still another may provide insight into how much of that
space is actually being used within databases.

Databases are often pre-allocated by database administrators to a size that they

feel supports growth over a reasonable period of time. Knowing how full those
databases actually are, and how quickly they are filling up, provides a more
accurate picture of disk space utilization. In environments where machines are
used as database servers, this information is often known only to database
administrators. It is also important to establish an open dialog between capacity
planners and database administrators and obtain a tool that provides this crucial
information.

Step 4: Compare utilizations to maximum capacities

The intent here is to determine how much excess capacity is available of selected
components. The utilization or performance of each component measured should
be compared to the maximum usable capacity. It is to be noted that the
maximum usable is almost always less than the maximum possible. The
maximum usable server capacity, for example, is usually only 80 to 90%. Similar
limitations apply for network bandwidth and cache storage hit ratios. By
extrapolating the utilization, trending reports and comparing them to the
maximum usable capacity, the process owner should now be able to estimate at
what point a given resource is likely to exhaust its excess capacity.

Step 5: Collect workload forecasts from developers and users

This is one of the most critical steps in the entire capacity planning process, and
it is the one over which you have the least control. Developers are usually asked

231
to help users complete IT workload forecasts. As in many instances of this type,
the output is only as good as the input. Working with developers and some
selected pilot users in designing a simple yet effective worksheet can go a long
way to easing this step. This should be customized as much as possible to meet
the unique requirements of a particular environment.

Step 6: Transform workload forecasts into IT resource requirements

After the workload forecasts are collected, the projected changes must be
transformed into IT resource requirements. Sophisticated measurement tools or
a senior analyst's expertise can help in changing projected transaction loads, for
example, to increase capacity of server processors. The worksheets also allow to
project the estimated time frames during which an increase in workload will
occur. For major application workloads, it is wise to utilize the performance
reports provided by key suppliers of the servers, database software s
and enterprise applications etc.

Step 7: Map requirements onto existing utilizations

The projected resource requirements derived from the workload projections of

the users in Step 6 are now mapped onto the charts of excess utilization from
Step 4. This mapping shows the quantity of new capacity that will be needed by
each component to meet expected demand.

Step 8: Predict when the shop will be out of capacity

The mapping of the quantity of additional capacity needed to meet projected

workload demands also pinpoints the time frame during which these upgraded
resources will be required.

Step 9: Update forecasts and utilizations

The process of capacity planning is not a one-shot event but rather an ongoing
activity. Its maximum benefit is derived from continually updating the plan and
keeping it current. The plan should be updated at least once per year. Shops that
use this methodology best are the shops that update their plans every quarter.
Note that the production acceptance process also uses a form of capacity
planning when determining resource requirements for new applications

4.1.9.1 Capacity management

The process provides the framework and guidelines that can be adapted by banks
to ensure that cost-justifiable IT capacity exists and matches to current- and
future-agreed business requirements as identified in Service Level Agreement.

232
The Capacity Management process provides guidelines to:

 Produce and maintain capacity plan that reflects the current and future
business requirements.
 Manage service performance so that it meets or exceeds the agreed
performance targets.
 Diagnosis and resolution of performance and capacity-related incidents
and problems.
 Assess impact of all changes on capacity plan and performance of IT
services supported by IT Operations.
 Ensure that pro-active measures are undertaken to improve the
performance of services, whenever it is cost-justifiable.
One of the key activities defined as a part of capacity management process is to
produce and maintain, at an ongoing basis, the capacity plan, which depicts
current level of resource utilization and service performance. Capacity plans can
also include forecasting future requirements to support business activities. The
process can be subdivided into three:

Business Capacity Management: Defines guidelines for translating business-

need plans into requirements for IT services and supporting infrastructure,
ensuring that the future business requirements for IT services are quantified,
designed, planned and implemented. Inputs for future IT requirements come
from the Service Portfolio and Demand Management.

Service Capacity Management: This defines guidelines for management,

control and prediction of end-to-end performance and capacity of live and
operational IT service usage and workloads. It provides guidelines to ensure that
the performance of IT services is monitored and measured.

Component Capacity Management: It defines guidelines to identify and

understand the performance, capacity and utilization of each individual
component within a technology used to support IT services, including
infrastructure, environment, data and applications.

A major difference between sub-processes is in the data that is being monitored

and collected. For example, the level of utilization of individual components in
the infrastructure: processors, disks and network links will be under Component
Capacity Management. While transaction throughput rates and response times
will be under Service Capacity Management. Business Capacity Management will
be concerned with data, specific to business volumes. Banks adapting capacity

233
management process should ensure that its framework encompass all areas of
technology (hardware, software, human resource, facilities, etc.)

4.1.9.2 Availability management

Availability and reliability of IT services can directly influence customer

satisfaction and reputation of banks. Therefore Availability Management is
essential in ensuring that the IT delivers the “right level” of service required by a
business to satisfy its objectives. The process provides framework and guidelines
that can be adapted by banks to ensure that the level of service availability (for all
services) is matched, or exceeds the current and future requirements, as defined
in the Service Level Agreement.

Availability Management process provides guidelines so that banks can:

 Produce and maintain an appropriate up-to-date Availability Plan that

reflects the current and future needs of the business
 Ensure that service availability achievements meet or exceed agreed
targets, by managing services and resources-related availability targets
 Assist with diagnosis and resolution of availability-related incidents and
problems
 Ensure that pro-active measures to improve the availability of services are
implemented wherever it is cost justifiable to do so.
When implementing Availability Management processes, banks should consider
including the following:

 All operational services and technology, supported by IT Operations

function and for which there is a formal Service Level Requirement (SLA).
 New services where SLAs have been established.
 Aspects of IT services and components that may impact availability, which
may include training, skills, process effectiveness, procedures and tools.
Availability Management process has two key elements:

 Reactive activities: The reactive aspect of availability management involves

monitoring, measuring, analysis and management of events, incidents,
problems and changes, involving unavailability.
 Proactive activities: This aspect involves planning, design and
improvement of availability

234
4.1.9.3 Supplier management

Complex business demands require extensive skills and capabilities from IT to

support business processes, therefore collaboration with service providers and
value networks are an integral part of end-to-end business solution. Supplier
Management process provides framework and guidelines that can be used by
banks to manage relationships with vendors, suppliers and contractors. This
framework ensures that suppliers and services they provide are managed to
support IT service targets and business expectations. The purpose of this
management process is to obtain value for money from suppliers, and to ensure
that suppliers perform to the targets contained within contracts and agreements,
while conforming to all terms and conditions.

Supplier Management process provides guidelines which can be used by the

banks to:

 Implement and enforce supplier policies.

 Maintenance of supplier and contact database.
 Supplier and contact categorization and risk assessment.
 Supplier and contract evaluation and selection.
 Development, negotiation and agreement of contracts.
 Contract review, renewal and termination.
 Management of suppliers and supplier performance.
 Agreement and implementation of service and supplier improvement
plans.
 Maintenance of standard contracts, terms and conditions.
 Management of contractual dispute resolution.
 Management of sub-contracted suppliers.
4.1.9.4 Event management

Event Management process provides the guidelines which can be used by banks
to define a framework for monitoring all the relevant events that occurs through
the IT infrastructure. It provides an entry point for the execution of many Service
Operations processes and activities.

Event can be defined as any detectable or discernible occurrence that has

significance for the management of IT infrastructure, or delivery of IT

235
services. Event Management framework when defined will have two mechanisms
for monitoring, these are:

Active Monitoring: Active monitoring is related to polling of business

significant Configuration Items to determine their status and availability. Any
diversion from normal status should be reported to appropriate team for an
action.

Passive Monitoring: Passive monitoring detects and correlates operational

alerts or communications generated by Configuration Items.

Event Management can be applied to any aspect of Service Management that

needs to be controlled. These components can be:

 Configuration Items
 Environment conditions
 Software license monitoring
 Security breaches
Event Management portfolio can have different kinds of events, some of these
are:

Informational: Events signifying regular operations for instance notification

that a scheduled job has completed.

Warning: Events signifying diversion from normal course of action, for instance
a user attempting to login with incorrect password. Exceptional events will
require further investigation to determine an environment which may have led to
an exception.

Exceptions: Events, which are unusual. Events may require closer monitoring.
In some cases a condition will resolve an exception. For instance, unusual
combinations of workloads as they are completed, normal operations will
restore. In other cases, operations intervention will be required if the situation is
repeated.

Incident management

An incident is an unplanned interruption to an IT service, or the reduction in the

quality of an IT service. Failure of a configuration item that has not yet impacted
service shall also be an incident.

Incident Management process provides guidelines that can be implemented by

banks for the management of incidents so that restoration of service operations

236
as quickly as possible and to minimise adverse impact on business operations.
The primary objective of the Incident Management procedures is to ensure best
possible level of service quality and availability.

Problem management

Problem Management process provides a framework, which can be implemented

by banks to minimise the adverse impact of incidents on the IT Infrastructure
and the business by identifying root cause, logging errors, providing and
communicating workarounds, finding permanent solutions, and preventing
recurrence of incidents related to these errors. Problem Management increases
stability and integrity of the infrastructure.

Problem Management process includes activities required to carry out the root
causes of incidents and to determine a resolution to these underlying problems.
Problem management procedures also include implementation of the resolution
through Change Management procedures and Release Management procedures.
This also includes appropriate turnaround and resolutions to incidents that
cannot be resolved due to business cases, or technical short falls. Periodic trend
analysis of the problems in respect of systems or customer facing channels may
be carried out and appropriate action may be taken.

4.1.10 Let us sum up

Banks have computerized their front-end and back-end operations using complex
IT infrastructure. However, the IT resources and processes involved in the
banking operations must have strong IT governance. It provides the standards,
best business practices, rules, procedures for adhering to them consistently for
effectively managing the operations of an organization. Establishing IT
governance is vital in banks and it will ensure banking operations to reach the
Indian masses. There are various stake-holders of IT Governance such as Board
of Directors, IT Strategy Committees, CEOs, Business Executives, Chief
Information Officers (CIOs), Chief Risk Officers, Risk Committees etc. IT
Resource Management, Application Management, Change Management:
Capacity Management, Availability Management, Supplier Management, Event
Management, Incident Management, Problem Management are some of the
critical areas which should be covered in the IT Governance of an organization.

4.1.11 Key words

Governance, DCCBs, ECS, NEFT, RTGS, ATM, CEOs, CIOs, UPS, CPU, UAT and
SLA

237
4.1.12 Know your progress questions

1. Who need not be the stakeholders in IT governance in banks?

a. Board of Directors b Shareholders

c. CEO d. Business Executives

2. Which one of the following supports may not be provided by the out-
sourced vendors?

a. Level 1 support to handle b Level 2 support to handle

routine activities periodic activities
c. Support for preventive d. Level 3 support in case of
maintenance breakdown of the system

3. Which one of the following events is not covered under Event

Management portfolio?

a. Informational events b Warning events

c. Exception events d. Error events

4. Which one of the following is not included in capacity management

process?

a. Business capacity management b Service capacity management

c. System capacity management d. Component capacity
management

5. The primary objective of change management procedures is to ensure

assessment of:

a. Risks b Change authorization and

change impact
c. Business Continuity d. All the above

Key to questions

1.b 2.a 3.d

4.c 5.d

238
4.1.13 Terminal questions

 Explain in detail the need for a change management and the components
required to be included in a change management policy?
 Explain the steps involved in Capacity Planning.

239
4.2 Lesson No. 2 Operations management

4.2.1 Objectives
4.2.2 Introduction: Operations Management
4.2.3 Work Load Shedding
4.2.4 Daily Activities
4.2.5 Monthly/Quarterly Activities
4.2.6 System Maintenance Activities
4.2.7 Network Service Activities
4.2.8 Regular Staff Training
4.2.9 Let us sum up
4.2.10 Key words
4.2.11 Check your progress-questions
Key to Check your progress
4.2.12 Terminal questions

240
4.2.1 Objectives

The objectives of this lesson are to understand

 The operational part of management

 The monitoring techniques and continuous training to employees
4.2.2 Introduction

In IT environment, we need to ensure that the operations are run smoothly

without impacting the services offered to customers. The task is challenging and
daunting one because Core Banking Solutions (CBS) assured banking services
round the clock 24/7, 365 days in a year.

Total operations include many areas as given below:

 Smooth running of the hardware at the branches and at the data centre;
 Un-interrupted connectivity from branches to a data centre;
 Smooth functioning of the core banking solutions as well as collaborative
systems such as mailing systems;
 Consistent performance by the system in terms of input/output ratio;
 Completion of routine batch type tasks in a given span of time;
 Constant up gradation of human skill sets by imparting training at all
levels.
4.2.3 Work load scheduling

Scheduling refers to a set of policies and mechanisms to control the order of work
to be performed by a computer system. Of all the resources in a computer system
that are scheduled before use, the CPU is by far the most important.
Multiprogramming is the (efficient) scheduling of a CPU. The basic idea is to
keep the CPU busy as much as possible by executing a (user) process until it must
wait for an event, and then switch to another process.

Before undertaking the load scheduling following issues need to be answered:

 Are the business demands varied according to the time of day?

 What tasks are required to satisfy business demands?
 In Banks, where Core Banking Solution is in place, following are the
activities which require scheduling to avoid overloading a system.

241
4.2.4 Daily activities

 Day begin and day end operations;

 Batch processes involving uploading of files related to inward and outward
clearing, NEFT and salary schedules of various companies
 Execution of standing instructions and running files related to ECS ( DR &
CR);
 Downloading of reports to branches;
4.2.5 Monthly/quarterly activities

 Interest calculations on deposit as well as advances accounts;

 Application of service charges;
 NPA processes;
 Consolidation of accounts ;
The identified activities have to be scheduled (i.e.) executed such that the
transaction related activities at the branches and on the other delivery channels
would not get hampered.

4.2.6 System maintenance activities

Apart from the functional activities stated above, following are the maintenance
activities which also have to be scheduled.

 Updation of anti-virus patches and running of total scanning on the

servers and nodes;
 Updation of patches received related to the operating system;
 As far as possible, above activities are carried out at night when the leased
lines connecting the branches are not utilized;
 Rebuilding of indexes and such other activities as regards maintenance of
the hardware. This activity is carried out usually after the heavy changes in
database due to activities such as interest/charges application.
 Preventive maintenance of hardware at branches and at data centers; this
has to be carried out after the office hours or at night. Proper notice is to
be given to all the stakeholders if the down time required is very high.

242
4.2.7 Network service management

Network service management involves activities pertaining to

operation, administration, maintenance, and provisioning of networked systems
and defining the procedures and practices and using the available tools and
solutions for it.

 We need to ensure that the network or the connectivity between branches

and a data centre is up and running without any disruptions;
 The priorities should be set to ensure the usage of bandwidth as per the
job requirement. In a Bank, core banking application at the branches is of
prime importance. The dedicated bandwidth for the purpose should be
made available as per the requirement specifications provided by the
software developer.
 The Network equipments have to be maintained at regular intervals to
avoid downtime.
Network management is crucial and critical activity for all organizations
including Banks. It is to be noted that the connectivity to branches and data
centre is provided by telecom service providers. Initially the point to point
connectivity was provided by the service providers. The backup line used to be
Integrated Digital Service Network (ISDN) line. The point to point connectivity
has its disadvantages. The probability of failure of leased line is relatively high
when compared with the new technology called Multi-Protocol Label Switching
(MPLS) connectivity. Though backup in the form of ISDN connectivity is
provided in most of the cases when leased line connectivity fails, the ISDN
connectivity is not available and the connectivity is disrupted. The MPLS
connectivity has given a relief in as much as it has ensured very high availability
of the connection between branches and a data centre. Despite this it is
recommended to have alternative lines as backup line preferably from a different
service provider.

The Service Level Agreements (SLAs) have to cover the maintenance of leased
lines and the related equipments. The performance of leased lines should be
monitored as documented in SLAs.

Different tools are available for managing networks. The service providers too
provide dashboard which give adequate insights for managing a network
efficiently.

243
4.2.8 Regular staff training

Training is to be provided on a continuous basis to impart skill sets to existing as

well as new employees. Training is to be provided in following areas:

Functional training

In this type of training, users at branches and at the data centre are to be taught
about the functionality provided in the Core Banking application and other
applications. They also should be educated with regard to the dependencies and
or the pre-requisites while using the CBS functionalities.

Database training

Training in this area is to be given to the DBAs at a data centre. Besides the
training on database features and the periodic maintenances that are to be
carried out, they need to be educated about the reports generated in the system
and how those reports are to be studied. In oracle database, you can generate
report after every one hour which is a detailed document on the performance of a
database and gives recommendations as well for the improved performance.
DBAs are also to be briefed about the business requirements, business plans of a
Bank and expected rise in business volumes to enable them to translate it in
transaction volumes and its impact on a database performance.

Network training

The team is to be briefed about the features of routers and switches , how the
priorities have been set, and the SLAs finalized with telecom service providers
and also features of a dashboard provided by a service provider and how it is to
be analyzed;

Managerial training

An executive team of a Bank should be updated with SLAs from different

vendors, control points such as logs and audit trails generated in a system and it’s
utility for monitoring purposes. They should be briefed about the Business
continuity plan for ensuring continuity in operations in case of disaster.

4.2.9 Let us sum up

As most of banks’ operations are carried out with the help of Information
Technology, banks have to ensure smooth functioning of these operations
without any disruptions or breakdowns. The motive of banks should be to
provide effective and efficient services to customers by ensuring hassle free
operations. Core Banking Solutions offer 24X7 banking operations and hence it

244
is a daunting task to keep running all IT systems round the clock without any
failures, Operations Management include, Work load scheduling, Daily Activities,
Monthly/quarterly activities, System Maintenance activities, Network service
management etc., To achieve efficiency and effectiveness in operations of banks
in a high availability environment, the staff should be provided with regular
trainings such as ,Functional training, Database training, Managerial Training
and Network training.

4.2.10 Key words:

CBS, CPU, NEFT, ECS, NPA, ISDN, MPLS, SLA, AWWR DBA

4.2.11 Know your progress questions

1. Which one of the following is not a daily activity with respect to operations
management?

a. Day begin b. Day end

c. Standing instruction executions d. Ledger folio charges recovery

2. Which one of the following is not a periodic activity in operations

management?

a. Interest application b. Charges recovery

c. NPA Identification d. Renewal of maturing deposits

3. Database training is to be given to the employees concerned to perform

which one of the following activities?

a. Monitor the performance of b. Carry out the maintenance

data activity periodically
c. To avoid unauthorized access of d. All of the above
a database and do modifications
of data

4. Network training is useful for

a. Monitor the performance of b. Utilizing all the resources from

data all locations as per the set rules
c. Making sure no broadcasting is d. All of the above
happening from any server

245
 5. Which one of the following is not a system maintenance activity?

a. Updating the anti-virus patches b. Executing Interest application

process
c. Updating the operating system d. Rebuilding indexes on
patches databases after heavy inserts due
to periodic operations

Key to questions asked

1.d 2.d 3.d

4.d 5.d

4.2.12 Terminal questions

 What are the activities involved in Bank operations that are to be carried
out periodically.
 What the different types of training needs in an organization to manage IT
operations effectively?

246
4.3 Lesson No. 3 System and functionality performance

4.3.1 Objectives
4.3.2 Introduction
4.3.3 Functions of Systems Components
4.3.4 Functions of database
4.3.5 Security Management
4.3.6 Back Up and Recovery Management
4.3.7 Data Integrity Management
4.3.8 Monitoring Performance with Task Manager
4.3.9 Let us sum up
4.3.10 Key words
4.3.11 Check your progress-questions
Key to Check your progress
4.3.12 Terminal questions

247
4.3.1 Objectives

The objectives of this lesson are to understand

 The functions of various components involved in IT operations and

 The tools that can be used, to monitor performance.
4.3.2 Introduction

Integration of hardware, software and network makes a system in an

organization. We need to understand about the functionality of each component
and the tools available to monitor the performance of these components.

4.3.3 Functions of system components

Software is a general term used to describe a collection of computer programs,

procedures, and documentation that perform some task on a computer system.
Software is a sequence of instructions given in an orderly manner for changing
the state of a computer hardware in a particular order. Software is again divided
in two classes: system software & programming software.

System software refers to files and programs that make up a

computer's operating system. System files include libraries of functions, system
services, drivers for printers and other hardware, system preferences, and other
configuration files. The programs that are part of a system software include
assemblers, compilers, file management tools, system utilities, and debuggers.
Programming software, or just software is a general term used to describe a role
that computer programs, procedures and documentation play in a computer
system. The term includes:

 Application software such as database programs, word processors

and spreadsheets which perform productive tasks for users.
 Firmware which is a software program resides in a electrically
programmable memory devices on mother boards or in integrated
chips(ICs)
 Middleware which controls and co-ordinates distributed systems.
 Testware which is meant to include all utilities and application software
that serves in combination for testing a software package.
Hardware is best described as a device that is physically connected to a
computer or something that can be physically touched. A CD-
ROM, monitor, printer, and video card are all examples of computer hardware.

248
The four functions of hardware are:

 To receive Input from interactive devices such as key board, mouse, touch
screen etc.;
 To do the processing as per the instructions received through input using
the requisite programs loaded in a computer;
 To display the output on a monitor or to print it on a printer attached or to
mail or fax it as per instructions received;
 and to store an output as per instructions of an user;
4.3.4 Functions of database

In its most basic form, a database program must be able to add, delete and edit
records in tables which make up a database and also to search for specific records
in tables by using different search criteria. Also, in most cases, user
authentication is required.

The Database Management System (DBMS) performs the following functions:

 Data Dictionary Management

The data dictionary stores the definitions of data elements and their
relationships. This information is termed as metadata. The metadata
includes definition of data, data types, relationship between data, integrity
constraints etc. Any changes made in a database structure are
automatically reflected in the data dictionary.
 Data Storage Management
The DBMS creates the complex structures required for data storage. The
users are free in defining, programming and implementing the complex
physical data characteristics.
 Data Transformation and Presentation
DBMS supports data independence. Hence the DBMS translates logical
request into commands that physically locate and retrieve the requested
data. The DBMS formats the physically retrieved data according to the
logical data format specifications and does a presentation to users.
4.3.5 Security management

The DBMS creates a security system that enforces user security and data privacy
within a database. Security rules determine the access rights of database users.

249
Read/write access is given to users using the security management tool of a
DBMS.

4.3.6 Multiuser access control

The DBMS ensures that multiple users can access a database concurrently
without compromising the integrity of the database. Hence the database ensures
data integrity and data consistency.

4.3.7 Backup and recovery management

The DBMS provides backup and data recovery procedures to ensure data safety
and integrity. DBMS also provides special utilities which allow a DBA to perform
routine and special backup and restore procedures. Recovery Management deals
with the recovery of a database after a system failure.

4.3.8 Data integrity management

The DBMS promotes and enforces integrity rules to eliminate data integrity
problems, thus minimizing data redundancy and maximizing data consistency.

Database access languages and application interface

The DBMS provides data access via Structured Query Language (SQL). SQL is a
non-procedural language that is a user only need to specify what must be done
without specifying how it is to be done. The DBMS's query language contains two
components: a data definition language (DDL) and a data manipulation language
(DML). The DBMS also provides data access to programmers via programming
languages.

Database communication interfaces

Different users may access a database through a network environment. So a

DBMS provides the access of a database through a network environment.

Database performance monitoring and monitoring tools

Performance optimization is an art in that every user has different needs, every
configuration has different operating parameters, and every system can react in a
unique and unpredictable way to performance tweaks. That means if you want to
optimize your system, you have to get to know how it works, what it needs, and
how it reacts to changes. Usually, operating system gives you a good set of tools
to improve and monitor performance, diagnose problems, and keep your data
safe.

250
In the following paragraphs performance monitoring capabilities as provided in
Windows7 are explained.

Windows7 has a System Assessment Tool, or WinSAT. This tool runs during
setup, and again whenever you make major performance-related hardware
changes to your system. It focuses on four aspects of system performance: i.e.,
graphics, memory, processor, and storage. For each of these sub-systems,
WinSAT maintains a set of metrics stored as an assessment in XML format.
Windows7 needs to examine only the latest assessment to see what features a
computer can support. Note, that third-party programs can use an application
programming interface that gives them access to the assessments, so developers
can tune program features depending on the WinSAT metrics.

The following five metrics are used in WinSAT:

 Processor—This metric determines how fast a system can process data.

The Processor metric measures calculations per second processed.
 Memory (RAM)—This metric determines how quickly a system can move
large objects through memory. The Memory metric measures memory
operations per second.
 Graphics—This metric determines a computer's capability to run a
composite desktop like the one created by the Desktop Window Manager.
The Graphics metric are expressed in frames per second.
 Gaming Graphics—This metric determines a computer's capability to
render 3D graphics, particularly those used in gaming. The Gaming
Graphics metric expresses effective frames per second.
 Primary Hard Disk—This metric determines how fast a computer can write
to and read from a hard disk. The Primary Hard Disk storage metric
measures megabytes per second.
In addition to WinSAT, Windows7 comes with a Performance Rating tool that
rates a system based on its processor, RAM, hard disk, regular graphics, and
gaming graphics.

Windows7 supplies a sub-score for each of the above five categories and
calculates an overall base score. You can get a new rating (for example, if you
change performance-related hardware) by clicking the Re-run the Assessment
link. Interpreting the ratings is an art which one learns by experience. But it
indicates following:

In general, higher the rating, better is the performance.

251
  The lowest possible value is 1.0.
 The highest possible value is 7.9 (up from 5.9 in Windows Vista, which is a
reflection of hardware improvements over the past few years).
 The base score takes a weakest-link-in-the-chain approach. That is, you
could have nothing but 5.0 scores for everything else, but if you get just 1.0
because your notebook can't do gaming graphics, your base score will be
1.0.
4.3.9 Monitoring performance with task manager

The Task Manager utility is excellent for getting a quick overview of the current
state of a system. To get it onscreen, press Ctrl+Alt+Delete to open the Windows
Security screen and then click the Start Task Manager link.

The Processes tab, displays a list of programs, services, and system components
currently running on a system. (By default, Windows7 shows just the processes
that were started. To see all the running processes, click Show Processes from All
Users.) The processes are displayed in an order in which they were started, but
one can change the order by clicking the column headings. (To return to the
original, chronological order, you must shut down and restart Task Manager.)

The graphs show both the current value and the values over time of a CPU usage
(the total percentage of CPU resources that your running processes are using)
and the physical memory usage. Find below the graphs that are related to a
Physical Memory Total;

 Physical Memory Cached;

 Physical Memory Free;
 Kernel Memory Paged;
 Kernel Memory Non-paged;
 System Handles;
 System Threads;
 System Processes;
 System Up Time;
If the Physical Memory Free value approaches to zero, it means your system is
starving for memory. You might have too many programs running or a large
program is using lots of memory.

252
If the Physical Memory Cached value is much less than half the Physical Memory
Total value, it means your system isn't operating as efficiently as it could because
Windows7 can't store enough recently used data in memory. Since it gives up
some of the system cache when it needs RAM, to maintain the required cache one
may close down programs that are not needed.

In all of these situations, the quickest solution is to reduce the system's memory
footprint by closing either documents or applications. For the latter, use the
Processes tab to determine which applications are using the most memory and
shut down the ones which can be done away with for the present. The better, but
more expensive, solution is to add more physical RAM to your system. This
decreases the likelihood that Windows7 will need to use the paging file, and it
enables Windows7 to increase the size of the system cache, which greatly
improves performance.

If you're not sure which process corresponds to which program, display the
Applications tab, right-click a program, and then click Go to Process. Task
Manager displays the Processes tab and selects the process that corresponds to a
program.

Using the resource monitor

Windows7 comes with a new tool for monitoring your system yourself: the
Resource Monitor. (It's actually a standalone (and revamped) version of the
Resource Monitor from Windows Vista.) You load this tool by selecting Start,
typing monitor, and then clicking Resource Monitor in the search results.

The Performance Monitor provides you with real-time reports on how

various system settings and components are performing. You load it by selecting
Start, typing performance, and then pressing Enter to choose Performance
Monitor in the search results. In the Performance Monitor window, open the
Monitoring Tools branch and click Performance Monitor.

Performance Monitor displays real-time data using performance counters, which

are measurements of system activity or the current system state. For each
counter, Performance Monitor displays a graph of recent values over a time space
(the default time space is 100 seconds), as well as statistics such as the average,
maximum, and minimum values over that span.

4.3.10 Let’s us sum up

Integration of hardware, software and computer network becomes a complete IT

system in an organization. Since there are various IT systems used in banks one
should know the functionality of each component of these systems. One should

253
also be aware of the tools available to monitor the performance of various
components of IT Systems. The components used in IT systems are Hardware,
Software, Networking, DBMSs etc. Hardware refers to the physical aspects of IT
Systems and Software is a set of instructions given in an orderly manner to carry
out a particular task. DBMS is a software program which provides the functions
such as data definition and data manipulation. DBMS provides the other
functions such as data dictionary management, data storage management

Data Transformation and Presentation, Security Management, Multiuser Access

Control, Backup and Recovery Management, Data Integrity Management etc.
Various tools are available to monitor the performance of hardware components
such as CPU, Memory, Hard disk etc., Based on the performance reports of these
components one can decide whether to go for upgrading them or not.

4.3.11 Key Words

System, Software, Hardware, CD-ROM, monitor, Printer, Database DBMS, DDL,

DML, Windows7, WinSAT, Processor, Memory , Graphics, CPU, RAM,

4.3.12 Know your progress questions

1. Which one of the following functions are performed by computer

hardware?

a. To receive Input b. To do the processing as per

the instructions received
c. To display the output on a d. All of the above
monitor or to print it

2. WINSAT does not use which one of the following metrics?

a. External drive b. Processor

c. Hard disc d. Memory

3. Database management system performs which one of the following

functions?

a. Data Dictionary Management b. Data Storage Management

c. Data Transformation and d. All the above functions
Presentation

4. DBMS provides access to data through--------------

254
a. SQL (structured query b. Visual Basic or .net program;
language);
c. Window operating system; d. C++ programs

5. DBMS query language has which of the following components?

a. Data definition language and b. Data Definition language only

Data Manipulation language
c. Data Manipulation language d. Meta data language
only

Key to questions

1.d 2.a 3.d

4.a 5.a

4.3.13 Terminal questions

 What are the different functions of Database System?

 What are the different tools used for monitoring the performance of a
system?

255
4.4 Lesson No. 4 IT Infrastructure Management

4.4.1 Objectives
4.4.2 Introduction
4.4.3 Risk Management of IT Infrastructure
4.4.4 Risk Categorisation
4.4.5 Risk Mitigation
4.4.6 Incident and Problems Management Practices
4.4.7 Business Continuity and Disaster Recovery Planning
4.4.8 BCP Methodologies
4.4.9 Testing a BCP
4.4.10 Let us sum up
4.4.11 Key words
4.4.12 Check your progress-questions
Key to Check your progress
4.4.13 Terminal questions

256
4.4.1 Objective

The objectives of this lesson are to understand

 The risk management techniques involved in managing IT infrastructure

and
 The insights of Business continuity planning.
4.4.2 Introduction

In Banks where Core Banking Solutions is deployed, IT infrastructure includes

the following:

 Data Centre: It houses Production servers, storage unit and application

servers, core routers and switches besides the environmental control
equipments such as Precision air Conditioners, Fire Alarm systems, Fire
Extinguishing systems.
 Desktops at branches and at data centre;
 Databases, Core Banking Application, middleware and other utility
services such as anti-virus tools, network management tools etc;
 Messaging systems & IP based telephone systems
The IT infrastructure has to be managed by providing technical know-how
required such that organizational business processes are run smoothly without
any disruptions. Broadly it includes following functions:

 To identify , develop and maintain required technical knowledge to

manage and improve IT services;
 To train the people appropriately in various disciplines to effectively
deploy, deliver and operate IT infrastructure
 To document skill sets available within an organisation and skills needed
to be developed to manage IT infrastructure
 To define standards to be adapted when defining new IT architecture and
involvement in the design and build of new services
 To carry out Risk Assessment for IT infrastructure architecture
 To carry out functionality and performance testing of IT services
 To define and manage event management tools

257
4.4.3 Risk management of IT infrastructure

IT infrastructure constituted of human resources, hardware, software and the

implemented processes. They have to be assessed from different threats and
vulnerabilities. It is necessary to do a periodic risk assessment to identify the
risks, measure it and devise means to mitigate the risks so identified. It would be
appropriate to highlight the threats encountered and vulnerabilities witnessed.
The list given is illustrative and not exhaustive:

Power cut and the non-functioning of generator; It is to be noted that at a Data

Centre, redundancy should be built by keeping two generators. The team has to
keep continuous watch to ensure that the generators are up and running. Mock
drills should be conducted once in a month by shutting the power so that
generator starts working automatically. Apart from maintaining generators, the
required fuel levels in generator sets should be taken care.

AC malfunctioning at a data centre resulting in increased temperature should be

attended on priority basis. Precision ACs are meant to maintain the required
humidity and the temperature in a data centre as required for production servers.
The preventive maintenance of ACs at periodic intervals is must so that the
malfunctioning can be minimised. The Number of ACs installed should be
adequate to take care of the redundancy. When redundancy in ACs is built, all the
units need not run parallel but in rotation. The similar approach should be
adopted for UPSs too.

Network Connectivity: Ideally, connectivity should be available from two

different vendors. If one vendor has provided connectivity, the cable point should
come from different sources so that if one line is down, other would take over.
One of the core and critical factor in data centre is the connectivity.

Production servers: These servers are the heart of a data centre. All kinds of
redundancies should be built and the remote monitoring of these servers also
must be done by a vendor from where it is procured. In case of any trouble,
system should signal alarms for taking corrective steps. Technical experts have to
continuously monitor the performance of these servers, ensure all the patches
and updates related to operating system and anti-virus received are applied on a
daily basis;

Application servers: Similar precaution is to be taken in case of application

servers. The maintenance in the form of cleaning of discs, and if required
formatting them, at periodic intervals would keep functioning of the application
servers without any problems.

258
Internal threats: Apart from the systemic issues, it is likely that a disgruntled
employee or an unauthorized person would play with systems to disrupt their
functioning. Entire area therefore has to be under CC TV camera and entry and
exit of a data centre should be restricted to authorized persons only.

External threats: Hacking a system by external identities to halt operations

cannot be ruled out. Unauthorised users also may take control of IT systems from
a remote location to stop operations. Firewalls and security policy have to be
implemented and periodically reviewed and rechecked. Vulnerability and
penetration testing is to be carried out once in a quarter to ensure that the
network is safe and secure.

Thus to summarize, we can say that we need to identify

 Internal and external risks

 Risks associated with individual platforms, systems, or processes, as well
as automated processing units
While identifying risks, a risk assessment process should quantify the probability
of a threat and vulnerability, and the financial consequences of such an event.
Banks should also consider the inter-dependencies between risk elements, as
threats and vulnerabilities have the potential to quickly compromise inter-
connected and inter-dependent systems and processes.

Banks should implement a cost-effective and risk-focused environment. The risk

control environment should provide guidance, accountability and enforceability,
while mitigating risks.

4.4.4 Risk categorization

As part of risk identification and assessment, banks should identify events or

activities that could disrupt operations, or negatively affect the reputation or
earnings, and assess compliance to regulatory requirements.

4.4.5 Risk mitigation

Once an organisation has identified, analyzed and categorized the risks, it should
define the following attributes for each risk component:

 Probability of Occurrence;
 Financial Impact;
 Reputational Impact;
 Regulatory Compliance Impact;

259
  Legal Impact.
Besides the above specified attributes, an organisation should also consider the
following:

 Lost revenues
 Loss of market share
 Non-compliance of regulatory requirements
 Litigation probability
 Data recovery expenses
 Reconstruction expenses
These, along with a business process involved, should be used to prioritise risk
mitigation actions and control framework.

4.4.6 Incident and problems management practices

In the technology environment in a Bank, we have emphasized the importance of

uninterrupted functioning of a system for enabling 24/7 services to the
customers. Against this background, we need to understand the incidents and
how to manage them.

An incident is an unplanned interruption to an IT service, or the reduction in the

quality of an IT service. Failure of a configuration item that has not yet impacted
services shall also be referred as an incident.

There are two types of incidents that one come across at a data centre and or at
branches of banks.

Functional incidents:

Certain functions of IT systems may not be available for usage during

implementation of a new release of software. It is likely that during a release; the
person responsible for the work would disable certain options in the systems. In a
Banking environment, if an option for creating limit master is disabled due to
new release, users would be put to inconvenience.

New bug developed in the existing functioning due to a new release: For example:
If the TDS functionality is newly provided and due to it interest calculation while
opening new fixed deposit may go wrong.

Change in interest rates as decided by a bank not maintained in the system due to
which it may fetch old rates.

260
In all the above cases, users at branches are put to inconvenience. These
incidents may be treated as unplanned interruptions in the services. These
incidents can be mitigated, if they are properly documented with the root cause
analysis. The corrective action can be taken to avoid recurrence of such incidents
in future.

Technical incidents

Shutting down air conditioners in a data centre by an unauthorized person or a

new person who is not in-charge of infrastructure management.

Non-availability of adequate diesel for switching over to a generator in case of

power failure;

DBA forgets the password of a database administrator and opens an envelope

from a safe where the password is stored.

Non-availability of the leased line connectivity from data centre to branches for
more than one hour;

Shutting down of servers or a router at a branch during a repair work;

All the above mentioned ethnical incidents too hamper the working of a Bank and
may lead to denying services to customers.

In most of the organizations where ISO standards are adopted, as per the Change
management policy, such incidents are recorded as per the defined procedure
and reviewed by the concerned authorities for corrective action.

Problem Management

Problem Management process provides a framework, which can be implemented

by banks to minimise the adverse impact of incidents on the IT Infrastructure
and the business by identifying root cause, logging known errors, providing and
communicating workarounds, finding permanent solutions, and preventing
recurrence of incidents related to these errors. Problem Management increases
stability and integrity of the infrastructure.

Problem Management process includes activities required to carry out the root
causes of incidents and to determine a resolution for these underlying problems.
Problem management procedures also include implementation of the resolution
through Change Management procedures and Release Management procedures.
This also includes appropriate turnaround and resolutions to incidents that
cannot be resolved due to business cases, or technical short falls. Periodic trend

261
analysis of the problems may be carried out and appropriate action be taken in
respect of systems or channels faced by customers.

Access Management

Access Management process provides the guidelines, which can be implemented

by banks to limit access to IT services only to those individuals and applications
that are duly authorized based on organizational policies and standards. Access
Management enables an organization to manage confidentiality, integrity of its
data, IT infrastructure, and applications.

System resiliency tools and techniques - Service Desk Management –Change

Management.

Service Desk Management

It is essential to provide a centre for handling requests and or queries received

from users. Users of a system would not only be the staff at branches, but also the
customers accessing the system through various delivery channels. These
customers are invisible customers. Therefore, the service desk has to be more
receptive and quick in responding to the queries of customers. For this purpose,
the staff at a service desk is not only to be trained with the behavioral techniques,
but also with the functional skills.

Usually, following are the nature of queries, issues that are to be addressed by a
service desk staff:

Users generally encounter the software bugs or errors in IT Systems. These are
show stoppers which may halt the operations at branches and are to be addressed
promptly by the error resolving staff. In order to handle customers queries
through the system effectively, the users should be trained enough and should be
well versed about the systems.

Complaints from customers include for non-availability of a service either

through an ATM or on the internet to carryout various transactions such as
withdrawals, balance enquiry, fund transfers and E-commerce payment etc.

Change Management

Any change should be adopted as per the Change management practice of an

organization; otherwise such change may lead to an unpleasant incident. Every
organization has to have change management policy in place. Change has to be
implemented after following a proper procedure as defined in the change
management policy.

262
If a release of a software which provides additional functionality is to be
implemented the following steps should be completed before it is implemented;

 A certificate from a testing team is to be obtained. The testing team should

have with it the business requirement document based on which the
change is provided in a systems by a vendor developer;
 Test conditions should be properly documented and the unit testing and
regression testing must be carried out;
 The functional head should authorize the implementation of change;
 Technology head should also approve the change.
 Authorized persons entitled to copy program files from production servers
should do it after receiving a change request form duly signed by the
authorities concerned.
 The persons concerned should be informed about a change which is going
to be implemented in a system.
4.4.7 Business continuity and disaster recovery planning

The Core Banking application implemented in a Bank is a mission critical

application. Not only all branches can be connected to it, but also the customers
who may access it through various delivery channels. After the Core Banking
Solutions are in place, Banks are committed to provide banking services from any
of their branches and through other delivery channels on 24/7 basis. Therefore,
the non-availability of a system would not only impact the goodwill and
reputation of a bank but it would create a suspicion in the minds of customers
about its liquidity and solvency.

Every bank therefore as per RBI guidelines is required to put in place Business
Continuity Plan. BCP forms a part of an organization’s overall Business
Continuity Management (BCM) plan, which is the “preparedness of an
organization”, which includes policies, standards and procedures to ensure
continuity, resumption and recovery of critical business processes, at an
acceptable level and limit the impact of a disaster on people, processes and
infrastructure (includes IT); or to minimize the operational, financial, legal,
reputational and other material consequences arising from such a disaster.

Effective business continuity management typically incorporates business impact

analysis, recovery strategies and business continuity plans, as well as a
governance programme covering a testing programme, training and awareness
programme, communication and crisis management programme.

263
A bank’s Board has an ultimate responsibility and oversight over BCP activities of
a bank. Board approves the Business Continuity Policy of a bank. Senior
Management is responsible for overseeing a BCP process which includes:

 Determining how an institution will manage and control identified risks.

 Allocating knowledgeable personnel and sufficient financial resources to
implement a BCP.
 Prioritizing critical business functions.
 Designating a BCP committee who will be responsible for the Business
Continuity Management.
 The top management should annually review the adequacy of the
institution's business recovery, contingency plans and the test results and
put up the same to the Board.
 The top management should consider evaluating the adequacy of
contingency planning and their periodic testing by service providers
whenever critical operations are outsourced.
 Ensuring that the BCP is independently reviewed and approved at least
annually;
 Ensuring employees are trained and aware of their roles in the
implementation of the BCP.
 Ensuring the BCP is regularly tested on an enterprise-wide basis.
 Reviewing the BCP testing programme and test results on a regular basis
and
 Ensuring the BCP is continually updated to reflect the current operating
environment.
The onus lies on the Board and Senior Management for generating detailed
components of BCP in the light of an individual bank's activities, systems and
processes.

4.4.8 BCP methodology

Banks should consider looking at BCP methodologies and standards–BS 25999

by BSI–which follows the “Plan-Do-Check-Act Principle”.

BCP methodology should include:

264
Phase 1: Business Impact Analysis (BIA)

 Identification of critical businesses, owned and shared resources with

supporting functions to come up with the Business Impact Analysis (BIA)
 Formulating Recovery Time Objectives (RTO), based on BIA. It may also
be periodically fine-tuned by benchmarking against industry best practices
 Critical and tough assumptions in terms of disaster, so that the framework
would be exhaustive enough to address most stressful situations
 Identification of the Recovery Point Objective (RPO), for data loss for each
of the critical systems and strategy to deal with such data loss
 Alternate procedures during the time systems are not available and
estimating resource requirements
Phase 2: Risk Assessment

 Structured risk assessment based on comprehensive business impact

analysis. This assessment considers all business processes and is not
limited to the information processing facilities.
 Risk management by implementing appropriate strategy/ architecture to
attain the bank’s agreed RTOs and RPOs.
 Impact on restoring critical business functions, including customer-facing
systems and payment and settlement systems such as cash disbursements,
ATMs, internet banking, or call centres
 Dependency and risk involved in use of external resources and support
Phase 3: Determining Choices and Business Continuity Strategy

 BCP should evolve beyond the Information Technology realm and must
also cover people, processes and infrastructure
 The methodology should prove for the safety and well-being of people in
the branch / outside location at the time of the disaster.
 Define response actions based on identified classes of disaster.
 To arrive at the selected process resumption plan, one must consider the
risk acceptance for the bank, industry and applicable regulations

265
Phase 4: Developing and Implementing BCP

 Action plans, i.e., defined response actions specific to the bank’s processes
,practical manuals( do and don’ts, specific conditions customized to
individual business units) and testing procedures
 Establishing management succession and emergency powers.
 Compatibility and co-ordination of contingency plans at both the bank and
its service providers.
 The recovery procedure should not compromise on the control
environment at the recovery location.
 Having specific contingency plans for each outsourcing arrangement based
on the degree of materiality of the outsourced activity to the bank's
business.
 Periodic updating to absorb changes in the institution or its service
providers. Examples of situations that might necessitate updating the
plans include acquisition of new equipment, up gradation of the
operational systems and changes in:
 Personnel
 Addresses or telephone numbers
 Business strategy
 Location, facilities and resources
 Legislation
 Contractors, suppliers and key customers
 Processes–new or withdrawn ones
 Risk (operational and financial)
4.4.9 Testing a BCP

Banks must regularly test BCP to ensure that they are up to date and
effective: Testing of BCP should include all aspects and constituents of a bank i.e.
people, processes and resources (including technology). BCP, after full or partial
testing may fail. Reasons are incorrect assumptions, oversights or changes in
equipment or personnel. BCP tests should ensure that all members of the
recovery team and other relevant staff are aware of the plans. The test schedule
for BCPs should indicate how and when each component of a plan is to be tested.
It is recommended to test the individual components of the plans(s) frequently,

266
typically at a minimum of once a year. A variety of techniques should be used in
order to provide assurance that the plan(s) will operate in real life.

Banks should involve their Internal Auditors (including IS Auditors) to audit the
effectiveness of BCP: And its periodic testing as part of their Internal Audit work
and their findings/ recommendations in this regard should be incorporated in
their report to the Board of Directors.

 Banks should consider having a BCP drill planned along with the critical
third parties: In order to provide services and support to continue with
pre-identified minimal required processes.
 Banks should also periodically moving their operations: Including people,
processes and resources (IT and non-IT) to the planned fall-over or DR
site in order to test the BCP effectiveness and also gauge the recovery time
needed to bring operations to normal functioning.
 Banks should consider performing the above test without movement of
bank personnel to the DR site. This will help in testing the readiness of
alternative staff at the DR site.
 Banks should consider having unplanned BCP drill: Wherein only a
restricted set of people and certain identified personnel may be aware of
the drill and not the floor or business personnel. In such cases banks
should have a “Lookout Team” deployed at the location to study and
assimilate the responses and needs of different teams. Based on the
outcome of this study, banks should revise their BCP Plan to suit the
ground requirements.
4.4.10 Let’s us sum up

Risk Management be given a have prime importance in a complex IT set up of

banks. More so with the core banking operations as it caters to entire business
operations of a bank from all sides. That is because internal users as well as
customers access CBS and hence the exposure window of risks is bigger.
Therefore, banks should have risk management practice in place to mitigate IT
risks. In IT setup sources of risks may emanate from Network Connectivity,
Production servers, Application servers, internal threats, External threats etc.
Banks should identify the event that could disrupt operations and become a
source of a risk. Risk categorization and identification will help in mitigating
occurrence of a possible risk. Incident and problems management practices such
as, Problem Management, Access Management, Service Desk Management, and
Change Management will help in eliminating or lessening the degree of risks.
Business continuity plan also help banks to mitigate the risks to a great extent. A

267
standard BCP plan consists of various phases such as Business Impact Analysis,
Risk Assessment, Determining Choices and Business Continuity Strategy,
Developing and Implementing a BCP and Testing a BCP.

4.4.11 Key words

Desktop Database, anti-virus, UPS, DBA, BCP, BCM, BSI, RTO, BIA, RPO, ATM

4.4.12 Know your progress questions

1. BCP means -------------------

2. BIA means-------------

3. Incident management in IT parlance addresses -------------

a. Technical and functional b. Frauds committed in Banks

incidents
c. Any incident which is material d. None of the above
to Banks operations

4. Testing of BCP plan is useful because------------------

a. It helps Bank to comply with b. It helps to ensure that in case of

RBI requirement a disaster Bank can switch over to
DR site as per BCP
c. The resources at DR site would d. None of the above
not lie idle

5. Access Management is useful for an organization to manage ----

a. confidentiality of data b. secrecy of its data

c. Authorized users would use IT d. All of the above
infrastructure and applications

Key to questions

1. Business Continuity 2. Business Impact 3.a

Planning Analysis
4.b 5.d

268
4.4.13 Terminal questions

 What is the importance of Business continuity planning in Banks?

 How risk management strategies are to be put in place for mitigating
risks?

269
4.5 Lesson No. 5 Important terminologies

4.5.1 Objectives
4.5.2 IS Audit
4.5.3 EDP Audit
4.5.4 COSO
4.5.5 COBIT
4.5.6 ITIL
4.5.7 Let us sum up
4.5.8 Key words
4.5.9 Check your progress-questions
Key to Check your progress
4.5.10 Terminal questions

270
4.5.1 Objective

The objective of this lesson is to understand meaning of different terminologies

involved in IT management.

4.5.2 IS Audit

Information systems audit is a part of the overall audit process, which is one of
the facilitators for good corporate governance. An Information Technology Audit,
or Information Systems Audit, is an examination of the management controls
within an Information Technology (IT) infrastructure. Mr. Ron Weber has
defined IS audit (EDP auditing--as it was previously called) as "the process of
collecting and evaluating evidence to determine whether a computer system
(information system) safeguards assets, maintains data integrity, achieves
organizational goals effectively and consumes resources efficiently.

IS audit has to be performed in conjunction with a financial statement

audit, internal audit, or other form of attestation engagement. In the recent past,
usage of technology has penetrated in every function/activity performed in a
Bank. The risks involved in usage of technology have different dimensions. It is
therefore thought appropriate to have IS audit in banks.

IS Auditors should be professionally competent, having skills, knowledge,

training and relevant experience. They should be appropriately qualified, have
professional certifications and maintain professional competence through
professional education and training. As IT encompasses a wide range of
technologies, IS Auditors should possess skills that are commensurate with the
technology used by a bank. They should be competent audit professionals with
sufficient and relevant experience. Qualifications such as CISA (offered by
ISACA), DISA (offered by ICAI), or CISSP (offered by ISC2), along with two or
more years of IS Audit experience, are desirable. Similar qualification criteria
should also be insisted upon, in case of outsourced professional service providers.

Banks may decide to outsource execution of segments of audit plan to external

professional service providers, as per the overall audit strategy decided in co-
ordination with the CAE and the Audit Committee. This may be due to
inadequate staff available internally within a bank to conduct audits, or
insufficient levels of skilled staff. The work outsourced shall be restricted to
execution of audits identified in a plan. Banks need to ensure that the overall
ownership and responsibility of the IS Audit, including the audit planning
process, risk assessment and follow-up of compliance remains within the bank.
External assistance may be obtained initially to put in place necessary processes
in this regard.

271
IS Audit can be built around the four types of IT resources and processes:
a)application systems, b)information or data, c)infrastructure (technology and
facilities such as hardware, operating systems, database management systems,
networking, multimedia, and the environment that houses and supports them
and enable processing of applications) and d)people (internal or outsourced
personnel required to plan, organise, acquire, implement, deliver, support,
monitor and evaluate the information systems and services).

IS Auditors can use an appropriate combination of manual techniques and

Computer-Assisted Audit Techniques (CAAT). IS Audit function needs to
enhance the use of CAATs, particularly for critical functions or processes carrying
financial or regulatory or legal implications. The extent to which CAATs can be
used will depend on factors such as efficiency and effectiveness of CAATs over
manual techniques, time constraints, integrity of the Information System and IT
environment and level of audit risk.

CAATs may be used in critical areas (like detection of revenue leakage, treasury
functions, assessing impact of control weaknesses, monitoring customer
transactions under AML requirements and generally in areas where a large
volume of transactions are reported).

4.5.3 EDP audit

It is an audit of information system assets to ensure that they adequately

safeguarded against vulnerabilities of natural and man-made disasters. EDP
audit is now called IS audit which is explained in the preceding paragraphs.

4.5.4 Committee of Sponsor Organization of the Tradeway

Commission (COSO)

COSO was organized in 1985 to sponsor the National Commission on Fraudulent

Financial Reporting, an independent private-sector initiative that studied the
causal factors that can lead to fraudulent financial reporting. It also developed
recommendations for public companies and their independent auditors, for the
Securities and Exchange Commission (SEC) and other regulators, and for
educational institutions.

The National Commission was sponsored jointly by five major professional

associations headquartered in the United States: the American Accounting
Association (AAA), the American Institute of Certified Public Accountants
(AICPA), The Financial Executives International (FEI), The Institute of Internal
Auditors (IIA), and the National Association of Accountants (now the Institute of
Management Accountants [IMA]). Wholly independent of each of the sponsoring

272
organizations, the Commission included representatives from industry, public
accounting, investment firms, and the New York Stock Exchange.

The Committee of Sponsoring Organizations’ (COSO) mission is to provide

thought leadership through the development of comprehensive frameworks and
guidance on enterprise risk management, internal control and fraud deterrence
designed to improve organizational performance and governance and to reduce
the extent of fraud in organizations.

4.5.5 COBIT

Control Objectives for Information and Related Technologies, is a framework

created by ISACA for Information Technology (IT) management and IT
Governance. It is a supporting toolset that allows managers to bridge the gap
between control requirements, technical issues and business risks.

COBIT is used globally by those who have the primary responsibilities for
business processes and technology, those who depend on technology for relevant
and reliable information, and those providing quality, reliability and control of
Information Technology.

COBIT is IT process-oriented and, therefore, addresses itself in the first place to

the owners of these processes. In COBIT, core processes (e.g., procurement,
operations, marketing, sales) are discussed, as well as support processes (e.g.,
human resources, administration, Information Technology). As a consequence,
COBIT is not only to be applied by the IT department, but also by the business as
a whole.

4.5.6 Information Technology Infrastructure Library (ITIL)

Responding to growing dependence on IT, the UK Government's Central

Computer and Telecommunications Agency in the 1980s developed a set of
recommendations. It recognized that without standard practices, government
agencies and private sector contracts had started independently creating their
own IT management practices.

ITIL is a set of practices for IT service management (ITSM) that focuses on

aligning IT services with the needs of business.

ITIL describes procedures, tasks and checklists that are not organization-specific,
used by an organization for establishing a minimum level of competency. It
allows the organization to establish a baseline from which it can plan, implement,
and measure. It is used to demonstrate compliance and to measure improvement.

273
4.5.7 Let us sum up

IS audit is a part of an overall audit process. It facilitates good corporate

governance. IS audit is carried out along with financial audit, internal audit, or
other form of attestation engagement. IS audit is built around resources and
processes such as application systems, information, data, infrastructure and
people. IS auditing can be done by using manual or computer techniques. CAATs
may be used in critical functions like regulatory or legal compliances. EDP audit
is an audit of information which helps in safeguarding IT systems from
vulnerabilities and manmade disasters. COBIT is a frame work created by ISACA
for managing technology and for IT Governance. ITIL is a set of practices of IT
service management (ITSM) that focuses on aligning IT services with the needs of
a business.

4.5.8 Key words

EDP, ISACA, DISA, ICAI, CISSP, ISC2, CISA, CAE, CAATs, EDP, AML, COSO,
SEC, AAA, AICPA, FEI, IMA, COBIT, ITIL

4.5.9 Know your progress questions

1. COBIT means -----------------

2. ITIL represents -------------
3. CAAT means -----------
4. Information system audit is to be carried out by who?
a. Chartered Accountant b. Chartered Engineer
c. CISA certified Auditor or DISA d. Bank officials
certified Auditor
5. Information system audit can be built around--------------
a. Application systems b. Information or data
c. IT infrastructure and people d. All of the above

Key to questions

1. Control Objectives 2. Information 3. Computer Aided

for Information and Technology Audit Techniques
Related Technologies Infrastructure
Library
4.c 5.d

274
4.5.10 Terminal questions

 Explain IS audit in detail.

 How COBIT would be useful in IS audit in Banks?
4.5.11 Additional reading

 Thoma, Robert M., Introduction to Local Area Networks, B P B

Publications

 Padwal, S.M., Computers and communications for Bankers, NIBM Pune

 RBI report on IS audit in Banks

275
Two illustrative models showing how technology adoption can change
functional structure of the large grassroot entities of Cooperatives in
India.

Two models to show how technology intervention has enabled PACS to offer
digital banking services to their customers although they are not eligible to be
constituents of either NPCI or RBI as per the mandate of NPCI and RBI.These
two institutions are the nodal approval authority for allowing various digital
banking functions in the banks, not to the societies.

NABARD , to promote this technology intervention in PACS, have come out with
various in the form of grants out of its Financial Inclusion Fund(FIF).The scheme
has been christened as ‘ PACS as Deposit Mobilising Agent(DMA)’.Few DCCBs
are also employing the similar technology and christened it as ‘PACS as Customer
Service Point(CSP)’.

The features of Rampur CCB /PACS model are as under –

276
 THE IMPLEMENTATION PROCESS
OF RAMPUR DISTRICT
COOPERATIVE BANK ,(UP) FOR
ISSUING RUPAY KCC TO PACS
MEMBERS UNDER EXISTING 3
TIER STRUCTURE FOR SHORT
TERM CREDIT

Rampur DCB has recently embarked upon implementation of RuPay KCC within
the existing 3 Tier structure of PACS granting loan to farmers and PACS in turn
getting loan from the DCB.
A visit was made to Rampur District Cooperative Bank (DCB) on 25 th April 2014
to study the scheme implemented by them.
PROFILE OF RAMPUR DCB (as on 31st March 2014)
Deposits - Rs.274 crore
Loans - Rs.273 crore
Profit - Rs.1.76 crore (Consistently showing profits)
No. of branches - 30
No. of PACS - 64 + 50 Sub Centres
No. of PACS Members - 1,50,000
No. of ATMs - 5 – attached to 5 branches including one at Head
Office
Core Banking Solution - Megasoft, on ownership basis

a.
277
THE IMPLEMENTATION PROCESS OF
RAMPUR DISTRICT COOPERATIVE
BANK ,(UP) FOR ISSUING RUPAY KCC
TO PACS MEMBERS UNDER EXISTING
3 TIER STRUCTURE FOR SHORT TERM
CREDIT

Rampur DCB has recently embarked upon implementation of RuPay KCC within the
existing 3 Tier structure of PACS granting loan to farmers and PACS in turn getting loan
from the DCB.
A visit was made to Rampur District Cooperative Bank (DCB) on 25 th April 2014 to
study the scheme implemented by them.
PROFILE OF RAMPUR DCB (as on 31st March 2014)
Deposits - Rs.274 crore
Loans - Rs.273 crore
Profit - Rs.1.76 crore (Consistently showing profits)
No. of branches - 30
No. of PACS - 64 + 50 Sub Centres
No. of PACS Members - 1,50,000
No. of ATMs - 5 – attached to 5 branches including one at Head Office
Core Banking Solution - Megasoft, on ownership basis

KEY FEATURES OF THE SCHEME

The DCCB has with the help of its CBS Solution Vendor, evolved a software driven

278
solution whereby the card can be issued to farmers without need to shift the loan to the
books of DCCB.
b. While the entries through Card get directed debited to Loan Account of PACS,
the system creates farmer-wise shadow accounts
c. Farmer-wise limit is controlled at the card level to ensure
withdrawals within the sanctioned limit of each farmer.
d. The DCB is migrating the PACS’s books of accounts (CAS) into
their own CBS Server by suitably partitioning it.
e. The CAS of each PACS is connected to CBS online for inter-
related transactions.
f. Access to CAS by PACS’s staff is through GPRS enabled Micro-
ATMs.
g. The account opening in the CBS as well as in CAS is to be carried
out at DCB.
h. Software Application for Micro-ATM has been customized so that
PACS’s staff is able to select the option in the Micro-ATMs to
operate CBS or CAS.
i. The Micro-ATM Device needs upgradation to operate on
Windows platform. The bank is in talks with various Micro-
ATMs vendors. Many vendors have reportedly expressed interest
and the bank is in the process of negotiating the cost and short
listing the vendor.
j. The Farmer gets intimation about each transaction on his mobile
through SMS. The SMS solution has been provided by Megasoft
and the bank has entered into arrangement with the MNO.
During visit it was found working on the test account. The DCB is
considering to introduce voice based SMS to farmers as many
farmers may not be able to make use of written message.
k. The bank proposes to offer option to the farmers to open Savings
Account, accessible from the same RuPay KCC. This would
however be possible only if NPCI agrees to issue single
IIN for both KCC and Savings Accounts. Currently,
NPCI issues separate IIN for KCC and deposit accounts.
The bank proposes to represent to NPCI for change in their
scheme. If NPCI does not agree, the bank will have no option but
to issue separate Card for Savings Account.

279
PROCESS FLOW
1. PACS and DCB jointly sanction the KCC loan to individual farmers; both
will have a contractual relationship with the farmers.
2. The loan documents of farmers remain with the respective PACS while the
DCB keeps a copy of the application and the documents.
3. The loan agreements between DCB and PACS as also between
PACS and the farmers to be suitably modified to include the
mode of arrangements for disbursement of the loans.
4. RuPay KCC is issued to the farmers, directly linked to the Loan/CC
Account of PACS.
5. The KCC Limit of individual farmer is setup under the RuPay KCC issued
to him.
6. PACS are customers of the bank and are assigned Customer ID. KYC
details of the PACS are complied with.
7. The Farmer is the customer of the PACS and ‘sub-customer’ of the
DCB. The record of all KYC documents pertaining to the farmer is
maintained by the DCB while the originals are kept at PACS.
8. The transaction directly gets debited/credited in the PACS account with
reference to the unique code assigned to the farmer as per numbering
explained in Annexure ‘A’. Both legs of the transaction thus get reflected in
the CBS directly.
9. Simultaneously, the transaction gets reflected in a Shadow Account of the
concerned Farmer. It is a single leg, replicating the transaction in PACS
Account.
10. The Shadow Account of each farmer thus carries details of each of his
transaction.
11. The aggregate of balances in all farmers’ shadow accounts is always equal
to the total outstanding balance in the PACS Account at any point of time.
12. The interest in PACS Account is applied in the books of DCB as applicable
to the loan of PACS.
13. The interest on shadow account is calculated as per rate setup in the
Shadow Account. No transaction is carried out in this respect in CBS, this
being a shadow account. The calculation serves the purpose of only
farmer-wise account information for use by PACS.
14. In addition to the aforesaid, the DCB maintains at its own Data Centre, the
CAS for each PACS.

280
15. The CAS for each PACS is linked to CBS whereby entries relating to
respective PACS are online up dated in to CAS (can be uploaded in batches
also, if so desired).
16. The entries in CBS thus get replicated in Shadow Accounts and in CAS
online through the modifications carried out by the CBS Vendor.
17. Along with this, the PACS’s staff would be doing entries through Micro-
ATMs directly into their respective CAS.
18. The modifications in software application on Micro-ATM will provide
option to select CBS or CAS for carrying out transactions pertaining to
respective accounting system.
19. The software solution on Micro ATM has been customized to include all
relevant account heads in the CAS like Share Money, Soft Purchase etc.
20. Entries relating to CAS would be done by PACS’s staff, relating to CBS
would get relayed to CBS as the connectivity between CBS and CAS is 2-
ways.
21. That would help PACS to operate their CAS as well as CBS like a
Laptop/Desktop.
22. This software solution would require Windows based Micro ATM Device.
The Bank has initiated the process to invite quotations from interested
Vendors.
23. DCB will provide Micro ATM to all PACS and their Sub Centres.
24. DCB also proposed to provide POS to the merchants selling fertilizer,
pesticide etc., to the PACS members.
25. The farmer would be able to carry out the transactions in the account
through Micro-ATM or through the branch of DCB. PACS would be able to
access CAS through modified Micro-ATM. This would ensure that the CAS
is up to date with the transactions initiated by the customer as well by
PACS.
26. The communication between CAS and CBS would be 2-way i.e. CBS entries
going into CAS and vice versa; either online or through batch processing.
Therefore there would not be any reconciliation issue.
27. The transactions on the Card through Branch ATM, through Micro-ATM
kept in Data Centre for testing and through other bank’s ATM are being
carried out and the transactions in the CBS, the Shadow Account and the
CAS are taking place under test launch.

281
 28. The staff at the Data Centre of the DCCB is supported full time by 2
officials of Megasoft
29. DCCB has already operationalized the scheme for 2 PACS.
ANNEXURES
Annexure ‘A’ - Operational Details
Annexure ‘B’ - Illustrations of Accounting Entries
Annexure ‘C’ – Images of Micro ATM Device and KCC Card
IMPLEMENTATION PLAN
The first phase, proposed to be completed by September 2014, involves -
 5 PACS to go live – Ajeetpur, Kakrauwa, Panwaria, Doonda wala and
Dhanauri
 110 Micro ATMs to be installed at PACS/Sub Centres
 50 POS to be installed at Merchant sites
 Cards to be delivered to members of all these 5 PACS
 Financial Literacy/awareness campaign to be undertaken for initiation of
farmers into the use of the RuPay KCC
CURRENT STATUS
 3000 RuPay KCC have been printed out of which 200 have been delivered
 2 PACS are functional – Ajeetpur and Kakrauwa
 Data migration has been completed in remaining 3 PACS
CHALLENGES
 Awareness amongst staff
 Awareness amongst farmers’ community
 Acceptances of the RuPay KCC medium by the farmers
 Effective migration of the transactions to the Card
 Financial impact on the DCB
SUGGESTED ACTION PLAN FOR RAMPUR DCB
 The Bank should get the system audit done by a CISA qualified professional to
ensure system’s sanity and security.
 To meet the challenges, considerable effort and resources are required at the
ground level.
 Apart from holding meetings, road shows and distribution of
leaflets/brochures, it would be necessary to engage with the card holder
farmers to educate them and to remove their apprehensions and initiate
reluctance to move to plastic card.

282
 The bank may consider hiring suitably modified Vans to visit various villages
along with PACS officials, attract attention of the farmers through plays/skits
for which stage artists may have to be engaged.
 Influential leaders of the area (“rain makers”) may be associated to generate
acceptance to the Kisan Card may help.
 The multi-pronged effort may initially be focused on a few villages. Once the
ice is broken, the strategy to bring surrounding area farmers to witness the
benefits would spread the usage.
 The bank may need support in this endeavour to derive full benefit of the
initiative.

ROLE OF GIZ
Rampur DCB does not have required human, technical and financial resources to
undertake activities to overcome the challenges effectively. GIZ under its RFIP
programme with NABARD can play an enabling role in the areas of :
 Creating awareness and acceptance of the product by farmers
which leads to faster adoption by farmers and higher transaction levels.
This will have to be preceded by suitable training and capacity building at
PACS level.
 Developing operational process manuals and protocols for the
Bank as required for issuance of cards, pin mailers, card hot-listing,
reissuance, charge back, etc. This is a high risk area and the Bank is
new to such processes hence external support by GIZs team of
experienced bankers in this domain could strengthen these processes
which can further be applied to and leveraged by other CCBs as model
Operational process management toolkit/reference guide .
 Technical assistance (human resources) at local Bank site for
supporting Banks technological team for rolling out PoS /micro ATM at
PACS and MIS management at Bank’s level.

TAKING FORWARD TO OTHER DCCBS:

Based on the success of the Rampur model (and regulatory

clearance, if any) detailed Rampur CCB case study can be
prepared (perhaps by GIZ-RFIP) with the intend of assessing
replication potential of the model for other CCBs. Such case
study will help other CCBs in preparing themselves for similar
on boarding onto RuPay KCC platform.

283
This would however involve considerable effort to get their CBS Vendors
into customization as done by Megasoft for Rampur DCCB (including
customization in respect of moving CAS of PACS of respective bank into
the DCCBs’ fold).
.....

284
 Annexure ‘A’
Operational Details2

• The PACS are the customer of the bank and are assigned Customer ID.
KYC details of the PACS are complied with.
• Farmer is the customer of the PACS and ‘sub-customer’ of the DCB. All the
documents pertaining to KYC of the farmer is maintained by the DCB.
• Each farmer (KCC account holder) is assigned a customer ID similar to
that of any other customers of the bank.
• DCB is 'co-sanctioning' the KCC loan to farmers individually, therefore
maintaining a contractual relationship with the farmer.
• There is a ‘parent-child’ relation in the database between the PACS
(parent) and KCC holder (child).
• The account of the PACS forms the part of General Ledger of the DCCB,
while the details of farmers (KCC holder) form part of the subsidiary
ledger.
• The 15 digit accounting code of the magnetic strip of the RuPay Kisan Card
captures data as under:
• First four digits denote the branch code.
• Next four digit denotes GL Code of the society concerned of which
farmer is member
• Last seven digits denote the account no. of the farmer.
• The transactions at ATM/ micro ATM, therefore, get updated in the books
of accounts in the Branch, PACS as well as, individual KCC holder on real
time basis.
• Farmer would transact at PACS level, only through micro ATMs so that his
account details are updated on real time basis.
• Each Micro ATM terminal at PACS shall be labeled and cash balances with
the PACS at EOD, if any, shall be indicated as ‘cash as PACs’ in the daily
trail balance of the DCB.
• There shall be no room for imbalance as every transaction by a farmer
shall be recorded at the bank level and the recoveries by the PACS from

285
 the farmer will have to be passed on to the bank as they has been received
from the farmer.
• The system calculates the interest and interest subvention. The system
also takes care of the fact that interest subvention is not available for the
consumption loan component of the KCC loan.
• The system takes care of the share capital requirement viz. a viz. drawl
limit of the farmer and restricts the withdrawals till the share capital
requirement of the farmer was met.
• The scale of finance can be updated in master file and the system
facilitated calculation of farmers loan limit based on his land holding
acreage and crops cultivated.
• Farmer can open a SB account with the DCB. Both the KCC loan account
and saving bank account shall be operated by the farmer with the same
RuPay Kisan Card at any POS/microATMs/ ATMs. Under this, the
customer while operating his RuPay Kisan Card at any of the outlet
(microATMs/ POS/ ATMs/branch) has to give an option whether he wants
to operate his SB A/c or KCC account. Once the option is given, the
customer can access his SB A/c or KCC loan account, independent of each
other, and get the services of cash deposit/ cash withdrawal/ balance
inquiry/ fund transfer/ mini statement.
• At the time of enrollment, biometrics of the farmers is recorded through
the microATMs, which is stored in the datacenter of the DCB (since
Aaadhar is yet to establish in the State).This would facilitate use of the
RuPay Kisan Card at microATMs/ POS either by PIN or biometric
authentication by the farmer, instilling confidence in illiterate farmer to
use the technology.
• SMS alert is provided to the customer for all the transactions.
.....

286
 Annexure ‘B’
Illustrations of Accounting Entries
ILLUSTRATION NO. 1
Cash withdrawn by ‘A’ Farmer through Micro-ATM installed at the PACS ‘X’ –
Rs.9000/-
a) Entries in CBS of DCB:
Dr Loan/OD account of PACS - 9000
Cr PACS ‘X’ (cash account) - 9000

b) Entry in Shadow Account of ‘A’ Farmer

Dr Cash withdrawn - 9000

c) Entry in CAS of PACS ‘X’

Dr Loan Account of ‘A’ Farmer - 9000
Cr Cash on hand - 9000
Dr DCB (cash account) - 9000
Cr Loan/OD account at DCB - 9000

ILLUSTRATION NO. 2
Cash deposited by ‘A’ Farmer in DCB branch – Rs.5000
a) Entries in CBS of DCB
Dr Cash on hand - 5000
Cr Loan/OD account of PACS - 5000

b) Entry in Shadow Account of ‘A’ Farmer

Cr Cash deposited - 5000
c) Entry in CAS of PACS ‘X’
Dr Loan/OD account of PACS - 5000
Cr Loan Account of ‘A’ Farmer - 5000

The net debit balance in ‘A’ Farmer’s Loan account would be Dr Rs. 4000 (9000-
5000) in CAS and in CBS Rs. 4000/- in Loan/CC account of PACS
SUM UP –
- Transactions through Card would directly go to PACS’s Loan/CC Account.
- Simultaneously another similar (single leg) entry would be created in Shadow
Account of the Farmer concerned
- Further, simultaneously another set of entries would be created in CAS of the
concerned PACS to reflect the transaction.

287
 Annexure ‘C’

288
Source: GIZ, NABARD UP, RO visit report

289
 CSP - What is it?

Customer Service Point. It is a banking outlet run through outsourced agency

for carrying out transactions and sourcing of business.
• For DCCBs outsourced agencies means its Affiliated Societies.
• Banking outlet means providing banking services.
• Sourcing of business – to provide banking facilities that they are generally
unable to provide because of their non-banking status. Thereby expanding
their own business and the business of the DCCB.
Benefits

Banking facilities can be facilitated at the doorsteps of the remotest corners of

our country.

• Governments goal of Financial Inclusion can be fulfilled.

• Direct Benefit Transfer is not a dream anymore.
• Deposits are insured.
• Better surveillance of customer deposits.
• Diversification of business of the PACS, generating more revenue.
Services that can be provided through CSP

• Opening of accounts
o Savings and Term Deposits
• RTGS / NEFT Facilities
o Fund transfer to anywhere in India
• ATM Cards
o Tie up with service providers such as RuPay
• Issue of Personal Loans
• SMS Alerts
• NACH Facilities
• In other words all facilities of BANKING right at the doorstep
eventhough these are not banks but societies.
TECHNOLOGY

• RTGS / NEFT through H2H system.

• Micro ATM Services through a Core Database

290
Working of RTGS / NEFT

291
The C S P Model

Provide most (if not all) banking services from the doorstep.
• Every Society should maintain their independent entity and identity.
• Database of all Societies should be linked into a Core Database.
• District Central Cooperative Banks should play a pivotal role.
• Technology driven banking.
Goal of complete financial inclusionWhy C S P?

Why C S P?
 Cheque facilities on Savings accounts with CTS facility enabling
all India services.
• No limit on Cheque collection and drawal in accounts through CTS.
• Direct Benefit Transfers (DBT) facility available on all accounts.
• Fund transfer like NEFT, RTGS, IMPS available from anywhere in
India.
• Issue of ATM Cards with All India transaction facility.
• POS, ecommerce available 24 x 7.
• SMS alerts.
• Deposit insured through DICGC.
• Recommendation of Loans other than such loans that are already
being issued by the Society.
Diversification of business

292
 Bardhaman Central Coop Bank’s Model

• Bank had initiated application software RFP.

• From technical selection to rate fixing was done by a team of
members of the bank.
• Customisation was completed by the bank’s UAT team.
• Societies individually may order the application from the vendor
directly.
• Database to be hosted by the software vendor.
• Everyday backup to be uploaded at the bank’s data-centre.
• Bank to have a 360 degree view of the regular affairs, resulting in
better monitoring and service.

Source: Bardhaman CCB, West Bengal

Note: In case any discrepancies observed in the module, may be

communicated to C-PEC at [email protected].

293