Saturday, 22 January, 2022

Digital Banking Needs Stricter Control

Nironjan Roy

Last month, when I was visiting Bangladesh, I accompanied one of my friends who is a businessman and had some outstanding issues with the bank related to his bank loan. My friend took me to the bank for discussion with the manager so that his problems related to bank borrowing can be resolved. While discussing, I noticed that officers working in that bank were able to quickly retrieve account statement from my friend’s different accounts being maintained with different branches located in different places in the country. I did not see my friend to use his bankcard or his confidential PIN (Personal Identification No.) allowing the bank officers to get access to his account. In quest of query, one of the officers told me that with first and last name or his account number, statement can be generated. I was surprised to know that those statements as retrieved from online banking system carried details transaction history along with current available account balance. Obtaining statement from different accounts within a while seems to be expeditious service of the bank. I was confused whether this type of specialized service was exclusively extended to that customer or available for any customer. After discussion with the bank official, I confirmed that this type of customer service is available under online banking system; however, they usually charge fees for account statement if taken more than twice in a year. This expeditious service ostensibly seems to be too good and convenient; however, sometimes too good is not good at all, especially when control parameter is compromised.

Severe fraud risk: If this practice in the name of digital banking is followed in the country’s banking industry, then I must say that there are severe lapses in the control mechanism. Obtaining account statement using first and last name or using simply account number, indicates that anybody working in the bank can easily get access to customers’ account what poses a serious fraud risk. We know all bankers are honest, sincere and trustworthy; so it is believed that they will not unauthorizedly touch customers’ account. However, unscrupulous people are always around us and they can indulge in fraudulent activity abusing weaknesses digital banking system. Unscrupulous officers will be able get all information from the customers’ bank account and easily follow the customer’s behaviour and transaction pattern based on which they can commit fraudulent transaction. As for example, one dishonest employee observes that one account always carries substantial amount of balance over the period of time without any frequent transaction history. He may then pass on this information to someone outside who will be able to easily make a fund transfer request using the customer’s confidential account information. In this way, fraudulent transaction might take place in customer’s account. We have to keep in mind that without banker’s involvement or association, outsiders cannot commit any fraudulent activity in bank.

Case reference: In the middle of the 1990s, while working in a bank, I had an opportunity to review one fraud investigation report. Twenty-one lakh takas were fraudulently withdrawn from one customer’s bank account. On investigation it was unearthed that one unscrupulous banker has directly assisted the outsider by providing account balance and customer’s specimen signature. Even, it was believed that dishonest banker had advised the mechanism what the outsider has used to commit fraudulent act. The stranger submitted a request letter for issuing duplicate cheque books stating that his cheque books have been lost. Since that alleged person has used customer’s specimen signature supplied by the banker involved, signature on the request letter was duly verified and this duplicate cheque books were issued. Using those cheque books, money was fraudulently withdrawn from customer’s account what the bank subsequently identified when actual account holder came and demanded money. If unauthorized officer did not have any access to customer’s account, such type of fraud must not have taken place.   Standard practice: In banking, a set standard practice is always followed to protect customers’ interest and maintaining strict confidentiality of customer information is a key parameter. Only authorized person with prior consent from the customer should be entitled to get access to customer’s account. While traditional banking was in place, such control mechanism was meticulously followed so as to mitigate the risk of fraudulent act. After transforming to online or digital banking, importance of these control parameters has further heightened. In the modern banking practice, banker will only get access to customer account when the customer authorizes to do so. Usually, the customer appears at the bank where he/she uses his bankcard and confidential PIN authorizing the banker to perform his/her request including monetary transaction and non-monetary action viz. obtaining transaction statement, current balance confirmation and other relevant inquiry etc. Banker can use first and last name or account number to have very limited access to customers’ account from where only very minimum information viz. account name, address etc. can be viewed. No other material information should be viewed without using customer’s bankcard and confidential PIN. However, a bank may maintain its centralized department for exclusively executing any fund transfer request or any other transaction based on customer’s written instruction if such requirement arises.

Industry practice: I was discussing with some bankers about this weaknesses in control parameter and likely consequences. Thereof and in response, they expressed their utter helplessness in enforcing the practice of requesting customer to come in the bank and use his/her bankcard along with confidential PIN to get access to the account and perform required task. Because the customer will get annoyed and lodge complaint to higher management who will then listen to customer and resent the bankers for not performing customer’s request regardless how legitimate it is. This is unfortunately common phenomenon in our country’s banking industry and this malpractice occurs because there is no strict industry practice in our banking operation. Strict compliance of standard industry practice which must be meticulously followed by all banks is inevitably required to make the online or digital banking a complete success. When all banks follow the same procedures, customer will not have any scope of complaint; instead they will be compelled to abide by the rules. This industry practice should be directed from country’s regulator or central bank and Bankers’ Association as well. In the developed world where entire banking is technology based, it is unthinkable to get access to customer’s account without his/her bankcard and confidential PIN.

Banking sector in our country is gradually transforming to online or digital platform keeping pace with govt’s initiative of digital Bangladesh. Many banking services have become very fast, quick and convenient because of introducing digital banking. Electronic fund transfer in the form of both Real Time Gross Settlement (RTGS) and Bangladesh Electronic Fund Transfer Network (BEFTN) are good example of fastest online banking services. With the development of digital/online banking, degree of risk also rises. In order to mitigate the risk associated with online/digital banking, many control parameters are always put in place. Digital banking may turn dangerous if appropriate control mechanism is not developed properly. Allowing officers indiscriminately to get access to customers’ confidential information reveals serious lapses in control mechanism, so this practice must be stopped. Digital banking does not necessarily mean that confidentiality of customer information should be compromised in the name of expeditious services. Some may argue that bankers work with trust, so they will not breach any fiduciary interest which is true and most of the bankers will not do that but there may be some or few who may not check their temptation to indulge in the weakness of control mechanism. In our country there are instances where measures have not taken before any mishap takes place. We believe Bangladesh Bank should review this practice with serious attention and instruct all bankers to restrict the officers’ access to customer confidential/material information. Such access can only be allowed when customer will personally come and use his/her bankcard and confidential PIN. Bangladesh Bank should act in this area before any fraudulent activity occurs.


The writer is a banker, Toronto, Canada