Core Banking Systems May 22

Core Banking Systems

C HAPTER 5

C ORE B ANKING S YSTEMS

1. O V E R V I E W O F B A N K I N G S E R V I C E S

1.1. I N T R O D U C T I O N

Key factors/ reasons that enabled Banks to compete at world level & provide basic banking services to citizens
of India staying in remotest area of India are as follows:
a) Rapid development & adoption of IT by Banks which facilitates anytime, anywhere access in digital age.
b) Global business opportunities leading to Indian opportunities & customer’s demand for integrated services
to compete in global economy.
c) Growth of Internet penetration across India.
d) Successive Government’s focus towards financial inclusion for all Indians. E.g. Jan Dhan Yojana.
To meet the requirements of its customers, to be able to meet the global challenges in banking and to enhance
its service delivery models; banks in India adopted CORE BANKING SYSTEMS (CBS).

1.2. C H A R A C T E R I S T I C S / K E Y F E A T U R E S O F B A N K I N G B U S I N ES S

a) Custodian of Large volume of Monetary Items like cash & Negotiable Instruments.
b) Dealer in Large volume (in number, value and variety) of transactions.
c) Operating through Wide Network of Branches & Departments, which are geographically dispersed.
d) Increased possibility of fraud making it mandatory for Banks to provide multi-point authentication checks
& high level of information security.

Q. Banking has played a vital and significant role in development of economy. In the light of this
statement, explain the key features of banking business.

1.3. F U N C T I O N S O F B A N K / M A J O R P R O D U C TS & S ER V I C ES P R O V I D E D B Y B A N K S

Acceptance of
Core functions deposit
[Pay Interest] Lending of money
[Earn Interest]

P a g e |1
 May 22 Core Banking Solution
Core Banking Systems

S No. Functions Explanation

1 Acceptance of ▪ Most important function of a commercial bank which fuel the growth of
Deposits banking operations.
▪ Banks accept deposits from customers for a pre-defined period.
▪ Various forms of Acceptance of deposit are Fixed deposit, Current A/c deposit,
Saving deposit, Recurring deposit, Flexi deposit etc.
2 Granting of ▪ It constitutes major source of earning by commercial banks.
Advance/ Lending
of money ▪ Various forms - Cash credit, Loans, Overdraft, Discounting of Bills etc.
▪ Bank helps in disbursement of loans under various social welfare schemes
like Kisan credit card, mudra Yojana etc.
3 Remittances ▪ Involves transfer of funds from one place to another.
▪ Common modes:
a) Demand draft – It is issued by one branch of a Bank and are payable by
another branch of the Bank. If the Bank does not have branch at destination,
it is payable at branch of another bank with which the issuing bank has
necessary arrangements The demand drafts are handed over to the Applicant.
b) Mail Transfer – It is a way of remitting money from one place to another
through a Bank. Bank does not hand over any Instrument to Applicant and
transmission of the instrument is responsibility of the branch.
c) Electronic Fund Transfer – EFT facilitates almost instantaneous transfer of
funds between two centers electronically. Types of EFTs are as follows:
RTGS (Real Time Gross NEFT (National Electronic IMPS (Immediate
Settlement) fund transfer) Payment System)
Type of EFT where the Type of EFT that facilitates It is instant inter-bank
transmission takes transfer of funds from any EFT done through
place on a real-time bank branch to any mobile or internet
basis. individual having an account banking.
In India, it is done for with any other bank branch Unlike other two, it is
high value transactions. in the country. available 24x7
Min value – 2L Comparatively slower including on bank
No minimum value holiday.

4 Collection ▪ Involves collecting proceeds on behalf of customers by collecting bank.

▪ Customers can submit instruments like cheque, draft etc which are drawn in
their favour, with their Bank for collection of amount from drawee bank.
▪ For these services, Banks charge nominal collection fees.
5 Clearing ▪ Involves collecting instruments on behalf of customers of Bank by clearing
house.
▪ Clearing house settles inter Bank transactions among banks & Post Offices.
▪ There may be separate clearing house for MICR [Magnetic Ink Character
recognition] & non MICR instruments.
▪ MICR is technology that allows machine to read & process cheques enabling
thousands of cheque transactions in short time.

2|P a ge
 Core Banking Systems May 22

Core Banking Systems

S No. Functions Explanation
▪ Electronic Clearing Services (ECS) is used extensively for bulk clearing which
is an electronic method of fund transfer from one bank account to another.
It takes two forms:
ECS credit ECS Debit
In this, number of beneficiary In this, large number of accounts with
accounts are credited by debiting the Bank are debited for credit to a
periodically a single account of the single account.
bank. Examples: Tax collections, loan
Examples: Payment of amounts instalment repayment, investments in
towards dividend distribution, interest, mutual funds etc.
salary, pension, etc.
6 Letter of Credit & Letter of Credit Guarantee
Guarantee
It is an undertaking by Bank to the It is provided by Bank, on request of
payee (supplier of goods & services) customer of Bank (supplier), to
➢ to pay him on behalf of buyer ➢ buyer of Goods / services
➢ any amount upto the limit ➢ to guarantee performance of
specified in L.C contractual obligation or
➢ provided T&C are satisfied. ➢ for submission to Govt. authorities
like customs in lieu of the
stipulated security deposit.
7 Credit Card ▪ Processing of Application for credit card is entrusted to separate division at
central office of Bank.
▪ It is linked to one of the international credit card networks like VISA, Master,
Amex or India’s own RuPay which currently issues debit cards but credit cards
are also expected to be launched in near future.
8 Debit Card ▪ Issued by central office of Bank where customers have their account.
▪ It facilitates withdrawal of money from ATMs as well pay at authorized
outlets. When debit card is used for a transaction, amount is immediately
deducted from customer’s account.
9 Other Banking Operations
High Net Worth
Back operations Retail Banking Specialized Services
Individuals (HNIs)
Covers all Known as front Specialized Underwriting: Life Non-Life
operations done office services are Process of assessing insurance Insurance
by back office. operations that provided to HNIs credit worthiness or Refers to
Related to provide direct based on value/ risk of a potential Insurance
services to volume of deposits borrower & his contracts
- General leger customers for / transactions. ability to repay that do not
- MIS personal use. loan. come under
- Reporting E.g. Debit Critical process the ambit of
cards, personal while determining life insurance
- Compliance loans,
etc. grant of loan to
mortgages etc. customer.

2. C O R E B A N K I N G S Y S T E M / S O L U T I O N

P a g e |3
 May 22 Core Banking Solution
Core Banking Systems

2.1. I N T R O D U C T I O N T O CBS

C •Centralised
O •Online
R •Real Time
E •Exchange/Environment

Common IT solution where

Central shared database
CBS
Supports entire banking application & function.
It allows customers to use various banking facilities irrespective of bank branch location.

2.2. C H A R A C T E R I S T I C S O F CBS

a) Common Database in Central Server located at Data Center.

b) Centralized Banking App s/w having several components to meet the demands of Banking industry.
c) Supported by Advanced Technology infrastructure.
d) Modular structure and can be implemented in stages as per requirements of Banks.
e) Enables integration of all third-party apps [BHIM] & in-house banking s/w.
f) Branches function as delivery channels providing services to its customers

2.3. E X A M P L E S O F CBS

Finacle BaNCS Flexcube FinnOne bankMate

Q. A bank PQR has many branches all over India. However, the competent authority intends to bring all
the branches together under one umbrella and make it centralized. For that, identify most prominently
available Core Banking Software in t he market.

2.4. K E Y M O D U L E S O F CBS

Core of CBS
• Back Office • Mobile Banking
• Data Warehouse • Internet Banking
• Central Server
• Credit Card System comprising of App • Phone Banking
• ATM Switch Server & Database • Branch Banking
Server
Back End Front End
Applications Applications

4|P a ge
 Core Banking Systems May 22

Core Banking Systems

S No. Modules Explanation
1 Back Office ▪ Part of Bank comprising of Administration and Support Personnel who are not
client facing.
▪ Back-office functions include settlement, record maintenance, regulatory
compliance , Accounts & IT.
2 Data warehouse ▪ Banking professionals use data warehouses to simplify and standardize the
way they gather data and finally get to one clear version of the truth.
3 Credit Card ▪ It provides services of
system
➢ Customer Management
➢ Credit Card Management
➢ Customer Information Management
➢ online transaction authorization
➢ Supports Payment Application
4 ATM ▪ It is an electronic Banking outlet that allows customers to do basic banking
transactions without help of any branch official.
▪ Need debit card or credit card to access ATM.
▪ Enables customer to perform
➢ Quick self-service online transactions like Deposit, Withdrawal etc.
➢ to more complex transactions like bill payments.
5 Internet Banking ▪ Also known as Online Banking, is an electronic payment system that enables
customers of a bank or other financial institution to conduct a range of
financial transactions through the financial institution's website accessed
through any browser.
▪ Examples of Transactions: Make and receive payments to our bank accounts,
open Fixed and Recurring Deposits, view account details, request a cheque book
and a lot more, while you are online.
6 Mobile Banking ▪ It is a service provided by a bank or other financial institution that allows its
customers to conduct financial transactions remotely using a mobile device
such as a smartphone or tablet.
▪ Unlike the related internet banking, it uses software, usually called an app,
provided by the financial institution for the purpose.
7 Phone Banking ▪ It is a functionality through which customers can execute many of the banking
transactional services through Contact Centre of a bank over phone, without
the need to visit a bank branch or ATM.
▪ The use of telephone banking services, however, has been declining in favor of
internet banking.
▪ Account related information, Cheque Book issue request, stop payment of
cheque, Opening of Fixed deposit etc. are some of the services that can be
availed under Phone Banking.
8 Branch Banking ▪ Due to CBS, Front end & Back-end processes within a bank have been
automated resulting in seamless workflow. Branch Confines itself to following
key functions:
a) Creating manual document capturing data required for Input into s/w.

P a g e |5
 May 22 Core Banking Solution
Core Banking Systems

S No. Modules Explanation

b) Initiating Beginning of Day (BOD) operations
c) End of Day (EOD) operations
d) Reviewing reports for control and error correction.
e) Internal Authorization.

Q. In the Core Banking Systems, the central server supports the entire banking process through front-end
and back-end applications and enables the users to access numerous online banking facilities 24x7. Explain
various Front-end applications of Core Banking Systems.

2.5. C O R E F E A T U R E S O F CBS ( O T H E R T H A N B A N K I N G S E R V I C ES )

In addition to basic banking services that a Bank provides through use of CBS, the technology enables
Banks to add following features to its service delivery:
i) Online real time processing
ii) Transactions are posted immediately
iii) All database updated simultaneously
iv) Centralized operations [All data stored in one common database]
v) Anytime, anywhere access to customers and vendors
vi) Banking access through multiple channels like mobile, web etc.
vii) Remote interaction with customers
viii) Automatic processing of standing instructions like auto deduction of credit balance on specific date.
ix) Centralized Internet application for all accounts
x) Business and Services are productized.

Q. Briefly explain core features of Core Banking Software.

3. C O M P O N E N T S & A R C H I T E C T U R E O F CBS

3.1. CBS IT E N V I R O N M E N T

CBS is a Technology Environment based on Client-Server Architecture, having a

➢ Remote Server (called Data Centre) and
➢ Clients (called Service Outlets which are connected through channel servers) branches.
The server is a sophisticated computer that accepts service requests from different machines called
Clients. The requests are processed by the server and sent back to the clients.

6|P a ge
 Core Banking Systems May 22

Core Banking Systems

Constituents / Types of servers used in deploying CBS are as follows:
a) Application ▪ It performs necessary operations & updates the A/c of a customer in DB server.
server
▪ Whatever transaction a customer does at any Branch of Bank, it is updated at
centralized database by App server.
b) Database Server ▪ It contains entire data of Bank like account of customers and master data like
customer master data, employee data, rates for loan, deposits etc. It is accessed
by App server.
c) Automated Teller ▪ It contains details of ATM A/c holders. When central DB is busy due to central
Machine Channel end of day activity or due to any other reason, file containing A/c balance of
Server customers is sent to ATM switch (file is called positive balance file).
▪ This ensures continuity of ATM operations.
▪ ATM PIN numbers of the ATM account holders is not stored in ATMCS but in
IBCS.
d) Internet Banking ▪ It stores username & password of all internet Banking customers and the branch
Channel Server to which the customer belongs. Such information is not stored in ATM servers.
e) Internet Banking ▪ It stores Internet Banking software which authenticates customer with login
App Server details stored in IBCS.

P a g e |7
 May 22 Core Banking Solution
Core Banking Systems

f) Web Server ▪ It hosts website and all internet related S/w. All online requests on website are
serviced through web server.
▪ It is a program that uses HTTP (Hypertext Transfer Protocol) to serve the files
that form Web pages to users, in response to their requests.
g) Proxy Server ▪ It’s a computer that offers indirect n/w connection to other network server.
▪ Client connects to proxy server and then requests a connection or file or resource
available on different bank server.
▪ It serves as an intermediary between the users and the websites they browse for.
h) Anti-virus ▪ It is used to host Anti-virus software. It is installed for ensuring that all s/w being
Software Server deployed on CBS are first scanned to ensure that they are safe from
virus/malware.

Q. Distinguish between Application Server and Database Server.

Q. Briefly explain proxy server and Automated Teller Machine (ATM) Channel Server.
Q. Explain the working of Automated Teller Machines (ATM) Channel Server?
Q. Differentiate between IBCS and IBAS used in Core Banking Systems.

3.2. T E C H N O L O G Y C O M P O N E N T S O F CBS

Online
Application Data centre/ Data
Database Environment transaction Cyber Security
Environment recovery centre
monitoring
Consists of App Consists of centrally Includes various App Effective Comprehensive Cyber
servers that host located database servers, DB servers, monitoring Security Framework is
different CBS like servers that store the web servers etc. and should be done prescribed by RBI for
Flex Cube, Bank data for all branches various other as part of Banks to ensure
Mate etc. and is of the Bank. technological managing effective information
centrally used by Data may include components. fraud risk mgt. security governance.
different Banks. customer master data, Proper awareness Proper alert Some key features of
Access to these interest rates, account should be created system should Cyber Security
application types etc. among the be enabled to Framework as
servers will It is updated by App employees through identify any prescribed by are RBI
generally be servers and is kept periodic trainings changes in the for banks are as under:
routed through a very secure. and mock drills for log settings.
firewall. disaster recovery
procedures.

Network Security and Secure

Application Security
Configuration
The following key measures are Full-fledged Security policy to ensure CIA of data and
required to be implemented: information needs to be developed and implemented
a) Multi-layered boundary defense covering following key features:
through properly configured proxy a) Implementation of bank specific email domains (example,
servers, firewalls, intrusion detection XYZ bank with mail domain xyz.in) with anti-phishing
systems to protect the network from (security measures to prevent steal of user data) and anti-
any malicious attacks and to detect malware software (software tool/program to identify and

8|P a ge
 Core Banking Systems May 22

Core Banking Systems

any unauthorized network entries. prevent malicious software/malware from infecting
b) Different LAN segments for in- network).
house/onsite ATM and CBS/branch b) Two factor authentication, an extra step added to
network to ensure adequate the log- in process, such as a code sent to user’s phone or
bandwidth to deal with the volume a fingerprint scan, that helps verify the user’s identity and
of transactions so as to prevent prevent cybercriminals from accessing private information.
slowing down and lower efficiency. c) Implementation of Password Management policy to provide
c) To ensure security of network; guidance on creating and using passwords in ways that
proper usage of routers, hubs and maximize security of password and minimize misuse/theft.
switches should be envisaged. d) Effective training of employees to educate them to strictly
d) Periodic security review of systems avoid clicking any links received via email.
and terminals to assess the e) Proper reporting mechanism to save the banks from the
network’s vulnerability and identify effects of misconduct – including legal liability, lasting
the weaknesses. reputational harm, and serious financial losses.
e) Identification of the risks to ensure f) Incident response and management mechanism to take
that risks are within the bank’s risk appropriate action in case of any cyber security incident
appetite and are managed with well written incident response procedures elaborating
appropriately. the roles of staff handling such incidents.
g) Capturing of audit logs pertaining to user actions & an alert
mechanism to monitor any change in the log settings.
h) Continuous surveillance to stay regularly updated on the
latest nature of emerging cyber threats.

Q. Briefly explain major components of a CBS solution.

Q. List the key technology components of Core Banking System (CBS).

3.3. K E Y A S P E C T S B U I L T W I T H I N A R C H I T E C TU R E O F CBS

1. Information flows This facilitates Information flow within Bank and increases speed and
accuracy of decision-making.
2. Customer Centric This enables Bank to target customers with right offers at right time to
increase profitability.
3. Regulatory Compliance This has built-in and regularly updated regulatory platform which ensures
complex compliance by Banks. Eg:- maintain required % of CRR, SLR
4. Resource optimization This optimizes resource utilisation through improved assets sharing, reusability,
faster processing and increased accuracy.

Q. Explain various key aspects in-built into the architecture of a Core Banking System.

3.4. F U N C T I O N A L A R C H I T E C T U R E O F CBS

CBS is the ERP software of a Bank. It covers all aspects of Banking operations from
➢ Micro- to macro operations and covers all Banking services ranging from
➢ Back office to front office operations
➢ Transactions at counter to online transactions &
➢ G.L to reporting.

P a g e |9
 May 22 Core Banking Solution
Core Banking Systems

However, it is modular in nature & it is implemented for all functions or core functions as decided by
management.
Implementation depends on Need and critically of specific Banking service provided by the Bank.
Eg:- If FOREX transactions of Bank are minimal, related functions may not be implemented.

3.5. I M P L E M E N T A T I O N O F CBS

Deployment and Implementation of CBS should be controlled at various stages to ensure that Bank’s
automation objectives are achieved.
1. Planning Planning for implementation of CBS should be done as per Bank’s strategic and
business objectives.
2. Approval Since high investment and recurring costs are involved, decision must be approved by
B.O.D.
3. Selection There are multiple vendors of CBS, each solution has key differentiators. Bank should
select the right one as per their objective & requirements.
4. Design & Develop Earlier CBS was developed in-house by Banks. Currently, its mostly procured. There
or Procured should be control over design and development or procurement of CBS.
5. Testing Extensive testing must be done before CBS is live. Testing is done at various phases:
- at procurement stage (to test suitability)
- to data migration (to ensure all existing data is migrated)
- to testing processing of different types of Transactions of all modules (to ensure
correct results are produced)
6. Implementationa) Must be implemented as per pre-defined & agreed plan in a time bound manner.
7. Maintenance CBS needs to be properly maintained. E.g. Program bugs fixation.
8. Support To ensure it is working effectively.
9. Updation CBS must be updated based on changing requirements of business, technology &
regulatory compliances.
10. Audit Should be done internally & externally to ensure controls are working as expected.

Q. “The deployment and implementation of Core Banking Systems (CBS) should be controlled at various
stages to ensure that the banks automation objectives are achieved”. Analyse the statement.
Q. DFK corporative bank of Uttar Pradesh decided to implement Core Banking System (CBS) to facilitate
integration of its entire business applications. Briefly explain how the deployment and implementation of
CBS can be controlled at various stages to ensure that objectives of DFK corporative bank are achieved.

4. CBS R I S K S , S E C U R I T Y P O L I C Y & C O N T R O L S

4.1. R I S K S A S S O C I A T E D W I T H CBS

1. Operational Risk Refers to risk arising from direct or indirect loss to Bank due to inadequate or failed
➢ Internal Process, People & System.
Example- Inadequate audits, improper management, ineffective I.C. etc.

10 | P a g e
 Core Banking Systems May 22

Core Banking Systems

Operational risk necessarily excludes business risk and strategic risk.
The components of operational risk include:
Transaction Information
Legal Risk Compliance Risk People Risk
Processing Risk Security Risk
Arises because Refers to risk Refers to risk Refers to Refers to risk
of faulty arising due to arising exposure to legal arising from
reporting of use of info. because of penalties & loss
➢ lack of
important systems & the an organization
➢ treatment trained key
market environment can face when it
of clients, personnel,
developments in which these fails to act as
to Bank systems ➢ sale of per industry ➢ tampering of
management. operate. products, laws and records and
May also occur or regulations.
➢ nexus
due to errors in ➢ business between front
entry of data practices and back-end
for processing. of a Bank. offices.
2. Credit Risk Refers to risk of an Asset/Loan becoming irrecoverable due to outright default or Risk
of unexpected delay in servicing of loan.
A form of counter party risk since Bank and borrower usually sign a loan contract.
3. Market Risk Refers to risk of losses in Bank’s trading book due to changes in
➢ equity price; commodity price; Interest rate; foreign currency rate etc.
To manage this risk, Bank deploys highly sophisticated mathematical & statistical
techniques.
4. Strategic Risk/ Refers to risk that earnings will decline due to change in business environment. E.g.
Business Risk New competitor, new mergers or acquisitions, change in demand of customer etc.
5. IT Related Risk Once the complete business is captured by technology and processes are automated
in CBS; the staff of the bank, customers, and management are completely dependent
on the Data Centre of the bank.
Some of the common IT risks related to CBS are as follows:
a) Ownership of Data is stored in data center. Bank must establish clear ownership of data so that
Data / Process accountability can be fixed and unwanted changes to the data can be prevented.
b) Authorization It ensures only authorized person can enter data in CBS. If authorization process is
process not robust, unauthorized person can access customer Information & other sensitive
data.
c) Authentication Username, password, PIN, OTP are commonly used for authentication process.
process
d) Several S/w A Data center may have as many as 100 different interfaces & App software.
Interface across It requires adequate Infra. like uninterrupted power supply, backup generator etc.
diverse n/w
e) Maintaining Maintaining optimum response time & uptime can be challenging.
response time
f) Access Control Since Bank is subjected to all types of attack, designing access control is a
challenging task.
g) Change It reduces risk that new system is rejected by users. However, it requires changes at
management App level & data level of DB - Master files, transaction files and reporting software.

P a g e | 11
 May 22 Core Banking Solution
Core Banking Systems

Q. Discuss various risks that are associated with CBS software.

Q. List the key technology components of Core Banking System (CBS).
Q. Once the complete business of a bank is captured by technology and processes are automated in Core
Banking System (CBS), the data of the bank, customer, management and staff are completely dependent
on the Data center. From a risk assessment point of view, it is critical to ensure that the bank can impart
training to its staff in the core areas of technology for efficient risk management. Explain any six common
IT risks related to CBS.

4.2. S E C U R I T Y P O L I C Y

Large organizations like Financial Institutions and Banks need to have laid down framework for security with
proper organization structure, defined roles, responsibilities within the organization.
Since Banks deal in third party money and need to create a framework of security for its systems, this
framework needs to be of global standards to create trust in customers in and outside India
Information security → Refers to ensuring CIA of Information. It is critical to mitigate risk of risk of
Information Technologies.
RBI has suggested use of 1SO 27001: 2013 to implement information security. Also advised to obtain 1SO 27001
certification for data centers.
Information security comprises following sub-processes:
a) Info Security Policies, Refers to processes related to approval & implementation of Info security.
Procedures & I.S. policy is the basis for developing detailed procedures & practices for I.S.
Practices security & implementing it.
E.g. – Non-disclosure agreement with employees, vendors etc., KYC procedures.
b) User Security Refers to the security of various users of I.S. It defines how users are created and
Administration Access is granted or disabled as per Organization structure & Access matrix.
c) Application Security Refers to how security is implemented at various aspects of Application. E.g. Event
Logging
d) Database security Refers to how security is implemented at various aspects of database. E.g. RBAC
e) Operating system Refers to how security is implemented at various aspects of OS.
security
f) Network security Refers to how security is implemented at various aspects of network & connectivity
to the servers. E.g. Use of VPN for employees, implementation of firewalls etc.
g) Physical Security Refers to how security is implemented for physical access. For example - Disabling
the USB ports.

Risk & Control w.r.t. Information Security

Risk Control
a) Lack of Management Direction & Commitment to Security policies are established and management
protect Information Asset. has to monitor compliance with policies.
b) User accountability is not established All users are required to have unique user ID.
c) Potential loss of CIA of data/ Info Appropriate physical and logical access controls
should be implemented.

12 | P a g e
 Core Banking Systems May 22

Core Banking Systems

Vendor default password for OS, DB, N/w etc. User
should change it on receiving software.
d) It is easier of unauthorized users to guess Password should be complex & changed frequently
password of an authentic user
e) Unauthorized viewing, modification or copying of User access privileges must be defined, and such
data and/or unauthorized use, modification or privileges are periodically reviewed by system owners.
denial of service in the system
f) Security breach may go undetected Access to sensitive data is logged and reviewed.
g) Inadequate preventive measure for server and IT Adequate environmental controls should be
system in case of environmental threats like flood, implemented like fire alarm, disaster recovery plan,
fire etc. back up etc.

Q. In line with the suggestions of RBI, M/s. ABC Bank is planning to obtain ISO 27001:2013 certification for
its Information Security Management System. As an IS Auditor, you are required to prepare a sample list of
Risks w.r.t Information Security for the bank.
Q. Information Security that refers to ensure Confidentiality, Integrity and Availability of information, is
critical in banking industry, to mitigate the risks of Information Technology. Identify and explain various
sub-processes that are involved in Information Security. [MTP Dec 21]

4.3. I N T E R N A L C O N T R O L S Y S T E M I N B A N K

I.C. helps mitigate the risk and must be integrated in IT solution implemented at Bank’s Branches.
Objectives of I.C. a) Ensuring Accuracy and completeness of A/c record
in Bank b) Timely preparation of reliable F.S.
c) Orderly & efficient conduct of business
d) Compliance with regulatory requirements
e) Safeguard of Assets through prevention & detection of fraud.
f) Adherence to management policy.
Examples of I.C. i) Maker Checker process - Work of one staff is checked by another worker irrespective
of nature of work.
ii) System of job rotation among staff exists.
iii) Financial and Administrative powers of each Employee is fixed & communicated.
iv) All books are to be regularly balanced and confirmed by authorized official.
v) Branch managers must send periodic confirmation to their controlling authority on
compliance of the laid down systems and procedures.
vi) Fraud prone items like currency, valuables etc should be in custody of 2 or more
officials of Bank.
vii) Details of lost security forms are immediately sent to controlling authority.

Q. Automation of business processes has introduced new types of risks in banking service. You being the
Branch Manager of a CBS branch, list out some of the I.C. you think to be implemented in your branch.

4.4. IT C O N T R O L S I N B A N K

IT risks are mitigated by implementing right type & level of IT controls in automated environment.
It is done by integrating controls into Info Tech/CBS.

P a g e | 13
 May 22 Core Banking Solution
Core Banking Systems

Examples:
a) System maintains records of all log-ins and log-outs.
b) Transaction is allowed to be posted in Dormant A/c only with supervisory password.
c) System checks whether the amount to be withdrawn is within the drawing power.
d) Access to system is available only b/w stipulated hours & specified days only.
e) User Timeout is prescribed [auto log out in case system is inactive]
f) User should be given access on “Need to know basis”
g) Once end of day operations are over, ledger can’t be opened w/o supervisory password.

Q. Information Technology (IT) risks can be reduced by implementing the right type and level of control in
automated environment that is done by integrated controls into information technology. Being an IT
consultant, suggest various steps of IT control to a branch manager of a bank.

4.5. C O N T R O L S I N B A N K ’ S A P P L I C A T I O N S O F T W A R E

There are 4 Gateways through which an Enterprise can control, access & use the various menus and
functions of Software. Examples of each are given below:

Configuration Master Transaction Reports

a) User Activation & a) Customers a) Deposit Transaction – Generated periodically or on
Deactivation master data – opening of A/c, demand by users at diff. level
Process Type, name withdrawal, Interest
Address, PAN computation etc. - Standard
b) User access &
privileges b) Employees b) Loan & Advance - Ad-hoc
management Master Data - Transaction CBS has extensive reporting
c) Password
Employee name, c) General Ledger - Entry of feature like:
management ID, Date of expenses, Interest, a) Summary of Daily
joining, charges etc. Transactions
designation,
salary etc. b) Daily general ledger
c) Tax Master Data c) MIS report for each product/
– Tax rates, service.
slab, TDS rate d) Report of exceptions
etc.
e) Activity logging and review.

Risk & Control w.r.t. Application Controls

Risk Control
a) Inaccurate calculation of Interest Interest is auto calculated as per defined rules
b) Inaccurate assignment of rate codes The interest rate code is defaulted at the account level
c) Charges not levied resulting in loss of revenue or The charges applicable for various transactions as per
inappropriate charges levied resulting in account types are properly configured as per bank rules.
customer disputes It should be in compliances with RBI & bank’s policies.
d) Inappropriate reversal of charges resulting in System does not permit reversal of the charges in excess
loss of revenue. of the original amount charged.

14 | P a g e
 Core Banking Systems May 22

Core Banking Systems

e) Incorrect classification of NPA resulting in Configuration exists in the application to perform the
financial misstatement. NPA classification as per relevant RBI guidelines.
f) Inappropriate set up of accounts resulting in The system parameters are set up as per business
violation of business rules. process rules of the bank.

5. CORE B U S I N E S S P R O C E S S E S – R E L E V A N T R I S K S & C O N T R O L S

CASA Credit Card Mortgage Loan Loan & Trade Treasury process E-commerce Internet
finance Transaction Banking
▪ Process ▪ Process ▪ Process ▪ Process ▪ Process ▪ Process ▪ Process
▪ Risk & Control ▪ Risk & Control ▪ Risk & Control ▪ Risk & control ▪ Risk & Control

5.1. C U R R E N T A C C O U N T S A V I N G A C C O U N T [C ASA]

Business Process Flow

Risks & Controls w.r.t. CASA

Risk Control
1. Credit limit is set up in CBS by unauthorized Access right to authorize credit limit should be
person. restricted to authorised personnel only.
2. Credit line set up in CBS is not in line with Credit committee checks financial ratio, net worth and
Bank’s policy ensure credit limit is as per policy of Bank.
3. Customer master data defined in CBS is Access right to authorize customer master data in CBS
inaccurate should be restricted to authorised personnel only
4. Interest/ charge being calculated in CBS is Interest/ charge is auto calculated as per defined rules
incorrect

P a g e | 15
 May 22 Core Banking Solution
Core Banking Systems

5. Unauthorized person is approving CASA SOD is maintained b/w initiator and authorizer of
transactions in CBS transaction for processing of transaction.
6. Inaccurate A/c entries generated in CBS CBS should be configured to generate entry as per
defined rules.

Q. Current and Savings Account (CASA) is a unique feature which banks offer to their customers to make
them keep their money in their banks. Discuss its business process flow.
Q. You attended an IT workshop as a CBS. You are required to provide a basic idea to the participants about
Current & Savings Accounts (CASA) and primarily discuss the risks and controls that might be relevant in
CASA process. Advise about the relevant risks and their counter controls.

5.2. C R E D I T C A R D

Process Flow of Issuance of Credit Card

Credit Card Process Flow of Sale - Authorization Process of Credit Card Facilities

Process Flow of Clearing & Settlement process of Credit Card Facility

Process Flow - Issuance of credit card

Same as CASA

Process Flow - Using Credit Card / Authorisation Process of Credit Card facilities

Process Flow - Clearing & Settlement of Credit Card facilities

16 | P a g e
 Core Banking Systems May 22

Core Banking Systems

Risks & Controls w.r.t. Credit Card – Same as CASA (first 4 points)

Q. Now-a-days, Credit Cards are extensively being used for payment purpose. As a consultant to credit
card section of a bank, advise the risks involved in the credit card process.

5.3. M O R T G A G E L O A N

Refers to a secured loan which is secured on Borrower’s property.

A charge/lien is created on the property as collateral. If borrower defaults on repayment of loan, lender can
sell the property to recover due amount.
Mortgages are used by individuals and businesses to make large real estate purchases without paying the
entire value of the purchase up front.
Loan for under –construction
Home Loan Top – up Loan
property
Traditional mortgage for Additional loan is applied by a Loan is granted in parts/tranches as
purchase of property. customer who is already having a per construction plan.
Customer has an option of loan either for refurbishment or
selecting fixed or variable renovation of the house.
rate of interest.

Business Process Flow

P a g e | 17
 May 22 Core Banking Solution
Core Banking Systems

Risks & Controls w.r.t. Mortgage Loan

Risk Control
1. Incorrect customer and loan detail is captured Secondary review is performed by independent team
in CBS who will verify details captured in CBS with offer letter.
2. Incorrect loan amount is disbursed Same as above
3. Interest amount is incorrectly calculated and Interest is auto-calculated by CBS based on pre-defined
charged rules i.e., Loan Amount, Interest rate, Tenure etc.
4. Unauthorized changes made to loan master SOD must exist in CBS. Every transaction entered in CBS
data and customer master data must be authorized by another person.
Reviewer cannot edit any details submitted by person
putting data.

Q. Explain the term “Mortgage Plan”. Also, briefly discuss its different types.
Q. Mr. X mortgaged his old flat and took a loan from ABC bank to set up his new business. The said
transaction was recorded in the ABC bank software that may be prone to various risks. Discuss any two
risks and their corresponding controls related to the process of Mortgage involved in Core Banking System.

5.4. L O A N A N D T R A D E F I N A N C E P R O C E S S

Lending business is main business of Bank. It is carried on by bank by offering various credit facilities.
It carries inherent risks and Bank can’t lend more than calculated risk.
Bank should ensure:
a) Proper recovery of funds lent by it; and
b) Be aware of legal remedies & laws w.r.t credit facilities provided by it .

Classification of Credit Facilities

Fund Based Credit Facilities Non-Fund Based Credit Facilities
Involves outflow of funds i.e., money of Bank is lent Does not involve outflow of fund
to customer. Types:
Types: Letter of credit
Cash credits; Overdrafts; Term loans / Demand Guarantee
Loans; Discounting of Bills

Process Flow - Customer Master Creation in Loan Disbursal System

18 | P a g e
 Core Banking Systems May 22

Core Banking Systems

Process Flow - Loan Disbursal / Credit Facility Utilisation & Income Accounting

Approaches for availing credit facility as per sanction letter

Customer Bank

Provide credit facility after verifying credit limit in loan disbursal system

Fund Based Credit Facilities Non-Fund Based Credit Facilities

Funds are disbursed and loan is recorded in CBS as Facilities are granted
recoverable. 3 Accounting Entries
3 accounting entries a) On booking Facility
a) On booking loan Contingent Asset – Dr
Loan A/c – Dr To contingent liability
To customer A/c b) On booking Commission Income [accrued
b) On booking Interest/Discounting Income [accrued over tenure of Guarantee/L.C.]
daily] Customer – Dr
Customer A/c – Dr To commission
To Interest c) On maturity
c) On maturity Contingent liability – Dr
Customer A/c – Dr To contingent Asset
To Loan a/c

P a g e | 19
 May 22 Core Banking Solution
Core Banking Systems

S. No. Product Income for banks Accounting of Income

1. Cash Credit/ Interest Credits Interest accrued on daily basis at agreed
Overdraft credits/ Overdraft rates
balances
2. Demand Loans/ Interest on Demand Interest accrued on daily basis at agreed
Terms Loans Loans/Term Loan rates
3. Bill Discounting Discounting Income Interest accrued on daily basis at agreed
rates
4. Bank Guarantee Commission Commission accrued over the tenure of the
bank guarantee.
5. Letter of Credit Commission Commission accrued over the tenure of the
L.C.

Risks & Controls w.r.t. Loans & Advance Process

Same as Mortgage Loan & first 4 points of CASA.

5.5. T R E A S U R Y P R O C E S S

Products in Investment Category Product in Trading category

- Government security; Shares; Debenture & Bonds - Foreign exchange

- Venture capital fund; Mutual funds - Derivatives (Future & Option)

Core Areas of Treasury Operations – can be divided into the following broad compartments
Front office Middle office Back office
F.O. operations consist of M.O. operations include It supports front office. B.O.
dealing room operations where a) Risk Management
operations include
dealers enter into deal/trade a) Confirmation of deals entered
with corporate & Inter Bank b) Pricing & Valuations
by front office Team
counter parties. c) Responsible for Treasury A/c
b) Settlement of funds/ securities
Deals are entered by dealers on d) Documentation of various
various trading platforms like c) Performs Front office and Back-
deals &
Telephone, Broker & other office reconciliation to ensure
e) Producing financial result accuracy & completeness of all
private channels.
analysis & budget forecast & deals in a day
Dealer is responsible for
f) Preparing financial statement d) Checking and confirming
checking
for regulatory reporting. existence of valid & enforceable
- Counter party credit limit. ISDA (International swap dealer
- Eligibility & Other Association) Agreement.
regulatory requirements of
Bank before entering into
deal with customers.
All risks are borne by dealer.

20 | P a g e
 Core Banking Systems May 22

Core Banking Systems

Risks & Controls w.r.t. Treasury Process
Risk Control
a) Unauthorized security set-up in systems such as Appropriate SOD and review controls to ensure
F.O./ B.O. accurate security set-up.
b) Inaccurate trade is processed Appropriate SOD and review controls for ensuring
accuracy of Trade processing.
c) Unauthorized confirmations are processed Complete and accurate confirmations to be
obtained from counter-party.
d) Inaccurate info flow b/w 3 systems Inter-system reconciliation & Inter-system
Interfaces
e) Insufficient securities available for settlement Effective controls on security & margins
f) Insufficient fund available for settlement Effective controls on security and margins.

Q. Discuss the risks and their corresponding controls associated with the Treasury Process in CBS.

5.6. I N T E R N E T B A N K I N G P R O C E S S

P a g e | 21
 May 22 Core Banking Solution
Core Banking Systems

Facilities Available in Internet Banking

a) Password change
b) A/c Balance check
c) Fund transfer
d) Statement of A/c
e) Request cheque Book
f) Credit Card/ Debit card request /payment / Block
g) Opening of FD/ RD and breaking it.

5.7. E-C O M M E R C E T R A N S A C T I O N P R O C E S S I N G

22 | P a g e
 Core Banking Systems May 22

Core Banking Systems

Most of the e-Commerce transactions involve advance payment either through a credit or debit card
issued by a bank.
The figure below highlights flow of transaction when a customer buys online from vendor’s e-commerce
website.

6. A P P L I C A B L E R E G U L A T O R Y A N D C O M P L I A N C E R E Q U I R E M EN TS

Regulatory and Compliance Requirements

Banking Negotiable IT Act 2000

Regulations Act, Instruments Act, RBI Regulations PMLA, 2002 amended by 2008
1949 1881

6.1. B A N K I N G R E G U L A T I O N A C T , 1949

It regulates all Banking Companies in India Including co-operative Banks even though cooperative banks,
which operate only in one state, are formed and run by the state government.
It provides framework for regulating and supervision of commercial Banks.
It gives RBI power to:
a) License Bank
b) Regulating shareholding and voting rights
c) Supervise appointment of BOD and Management
d) Merger and acquisition, Liquidation
e) Impose penalties
f) Control moratorium [Period of time during which borrower need not to pay EMI on loan]
g) Issue directives to Bank in Interest of public & Bank.
h) Give instructions for Audit.
RBI also provides
i) tech platform for NEFT and RTGS & other Central processing (clearing house).

P a g e | 23
 May 22 Core Banking Solution
Core Banking Systems

ii) Guidelines on how to deploy IT.

6.2. N E G O T I A B L E I N S T R U M E N T A C T , 1881

Truncated Cheque i.e. electonic image of a paper cheque NI Act gives validity &
Cheque

enforceability to these
Electronic cheque i.e. cheque in electrnoic form two types of cheque.

NI Act recognizes digital signature, with or without biometric signature, and asymmetric crypto system as
medium of signing but IT Act, 2000 has been amended in the year 2008 to make provision for electronic
signature also.
Hence, suitable amendment in this regard may be required in NI Act so that electronic signature may be
used on cheques in electronic form.

6.3. RBI R E G U L A T I O N S

RBI was established on 1st April, 1935 as per RBI Act, 1934.
Key functions of RBI:
1. Monetary RBI formulates, implements & monitors monetary policy with objective of:
authority a) maintaining price stability; and
b) ensuring adequate flow of credit to productive sectors
Tools: CRR, SLR, Open market operations
2. Issuer of Currency Issues, exchanges or destroys currency and coins with objective of providing
adequate quantity of supply of currency notes and coins in good quality.
3. Regulator and RBI regulates financial system with objective of
Supervisor of the
➢ maintaining public confidence;
Financial System
➢ protect depositor’s interest; and
➢ provide cost effective banking services to the public.

Q. Briefly explain Key functions of RBI.

6.4. P R E V E N T I O N O F M O N E Y L A U N D E R I N G A C T , 2002

24 | P a g e
 Core Banking Systems May 22

Core Banking Systems

Black Money White Money

• Unaccounted Money on which

Tax is not paid • From Legitimate source
• Earned from illegal means like
➔Terrorism
➔Smuggling
➔Drug trafficing
➔Illegal Arms sale
t 2008
Money laundering is a process by which
➢ proceeds of crime and true ownership of those proceeds are
➢ concealed so that it appears to come from legitimate source.
Objective of ML: To conceal existence, illegal source, or illegal application of proceeds of crime and to make it
appear as clean/ legitimate.
It is used by criminals to make dirty money appear clean.

3 Stages of Money Laundering

Placement Layering Integration
It involves placement / Involves separation of proceeds of Involves conversion of proceeds of
movement of proceeds of crime crime form illegal source using crime into apparent legitimate
into a form which is less complex transactions to obscure earning through normal financial or
suspicious & more convenient. the audit trail & hide the proceeds. commercial transaction.
Eg:- Putting money in This is done through sending Eg: Fake invoice for good exports,
legitimate financial system. money through various Banks, Buying properties.
Countries, currencies, continuous It creates illusion that dirty money
deposits & withdrawals. is derived from legitimate source.

Q. Banks face the challenge of addressing the threat of money laundering on multiple fronts as banks can
be used as primary means for transfer of money across geographies. Considering the above statement,
discuss the Money Laundering process and its different stages.

6.4.1. A N T I -M O N E Y L A U N D E R I N G ( AML) U S I N G T E C H N O L O G Y

What if Bank fails to control Money Laundering?

Loss of reputation Legal and Regulatory Declining profit.

and G/w. sanction.

Bank can be used in M.L. as primary means for placement and layering of proceeds of crime as it acts as a
means to transfer money across geographics, A/c & currencies.
The challenge is even greater for Banks using CBS as all transactions are integrated. With regulators
adopting stricter regulations on Banks and enhancing their enforcement efforts, Banks are using special
fraud and risk management S/w to:

P a g e | 25
 May 22 Core Banking Solution
Core Banking Systems

a) Prevent and detect M.L.

b) Daily processing and reporting of suspicious Transaction.

6.4.2. F I N A N C I N G O F T E R R O R I S M

Money to fund terrorist activities moves through the global financial system via wire transfers and in and
out of personal and business accounts.
It is a form of M.L. but it does not work the way conventional M.L. works. Money starts as clean i.e., as
“charitable donation” before moving to terrorist A/c.
It is highly time sensitive requiring quick response.

6.4.3. K E Y P R O V I S I O N S O F PMLA, 2 002

Sec 3 Whosoever directly or indirectly indulges, attempts to indulge or knowingly assists or

is a party to any process or activity connected with the proceeds of crime including its
➢ concealment, possession, acquisition or use and
➢ projecting or claiming it as untainted property
➢ shall be guilty of offence of money-laundering.
Sec 12 Reporting Entities are required to:
Reporting entities 1) Maintain records of all transactions that enable it to reconstruct Individual
to maintain transaction.
Records Record is to be maintained for at least 5 years from the date of Transaction b/w
client and Reporting entity.
2) Furnish information w.r.t such value & nature of transaction to Director, whether
attempted or executed, as prescribed.
3) Maintain record of Identity of client & Beneficial owner, account file, business
correspondences for 5 years after the
a) Business relation b/w client and R.E. ended; or
b) A/c has been closed;
whichever is later.
Note: CG may, by notification, exempt any reporting entity or class of reporting entities
from any obligation under this Chapter.
Sec 13 ▪ The Director may, either on own motion or on application made by any authority,
Power of Director officer or person, make such enquiry from R.E. as may deem necessary.
to impose fine ▪ If Director is of opinion that due to Nature & complexity of case, Audit of record is
necessary, he may direct R.E to get the records audited by an Accountant [CA] from
a panel of CAs maintained by CG.
▪ Expense of audit & incidental expenses is to be borne by CG.
▪ If the Director, during course of enquiry, finds that R.E. or its designated director or
Board or any of its employee failed to comply with PMLA, he can:
a) Issue warning in writing; or
b) Direct such R.E. or its designated director or Board or employee to comply with
specific instructions; or
c) Direct R.E. its designated director or Board or any of its employee to send reports

26 | P a g e
 Core Banking Systems May 22

Core Banking Systems

at prescribed interval; or
d) Impose a monetary penalty on R.E, its designated director or Board or any of its
employee of not less than 10,000 & which may extend upto 1 lakh for each failure.
Section 63 Any person who wilfully and maliciously gives false information, causing an arrest or
Punishment for a search to be made of other person under this Act shall be liable for
false information ➢ imprisonment for a term which may extend to two years or
or failure to give
information, etc. ➢ with fine which may extend to fifty thousand rupees or
➢ both.
If a person
a) Refuses to answer any question asked by the Authority under PMLA; or
b) Refuses to legally sign any statement made by him before the Authority; or
c) Omits to attend or present of Books of A/c at time & place required by Authority;
he shall be liable to
➢ Penalty of not less than 500 to 10,000 for each default or failure.
Before an order is passed imposing penalty, an opportunity of being heard shall be given
to such person by the Authority.
Section 70 In case of contravention by Company,
Offence by ➢ every person who was in-charge of Company at the time of contravention as well as
Company
➢ Company shall be deemed to be
➢ guilty of contravention & punished accordingly.
No liability / Punishment of such person if he proves that:
a) contravention took place w/o his knowledge; or
b) he exercised all due diligence to prevent such contravention.

Miscellaneous Company includes anybody corporate, a firm or other association of Individual.

Director - In relation to firm, means partner .

Q. Describe the Section 63 in prevention of Money Laundering that specifies the punishment for false
implementation or failure to give information, etc.
Q. BMN Bank limited has recently started its core banking operations. The Bank approached Mr. X for his
advice regarding the maintenance of records as a reporting entity considering the provisions of the PMLA,
2002. What do you think shall be the probable reply of Mr. X mentioning the relevant provisions of the
PMLA, 2002? [RTP Dec 21]

6.5. I N F O R M A T I O N T E C H N O L O G Y A C T , 2000

Key Objectives/ Computer Privacy

Intro Provisions Advantages Related & SPDI Chap 1
Offence

The Amendment Act 2008 provides stronger privacy data protection measures as well as implementing
reasonable information security by implementing ISO: 27001 or equivalent certifiable standards to protect
against cyber-crimes.
For the banks, the Act exposes them to both civil and criminal liability.

P a g e | 27
 May 22 Core Banking Solution
Core Banking Systems

The civil liability could consist of exposure to pay damages by way of compensation up to 5 crores.
The criminal liability exposure may be to the top management of the Banks and it could consist of
➢ imprisonment for a term which would extend from three years to life imprisonment as also fine.
Earlier, Technology was one of the enablers but now, Technology has become the building block for
providing all banking services.

6.5.1. C Y B E R C R I M E

Cyber Crime refers to offences that are committed

➢ against individuals or groups of individuals with a
➢ criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or
loss, to the victim directly or indirectly,
➢ using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and
groups) and mobile phones.
It involves use of a computer and a network. The computer may have been used in committing a crime, or
it may be the target.
UN manual on Prevention and Control of Computers Related Crime classifies cyber-crimes into:
a) Committing of fraud by manipulating input, output or throughput of a computer-based system.
b) Computer forgery which involves changing image or data stored in computers.
c) Deliberate damage caused to computer data or programs through virus or logic bombs.
d) Unauthorized access to computer by hacking into system or stealing password.
e) Unauthorized reproduction of computer programs or s/w privacy.
Bank is prone/ susceptible to cyber-crime as it deals with money. Using technology, fraud can be
committed across countries w/o leaving a trace.
Hence, CBS and Banking s/w should have high level of controls covering all aspects of cyber-crime. ISO:
27001 must be implemented for Information security.

7. B A S E L III N O R M S & AI I N B A N K I N G I N D U S T R Y

Introduction Process How Bank specific risk are assessed

Financial crises of 2008 Base III is a comprehensive set As nature of Banking Business & risk involved
caused significant of reform measures developed by is quite large and complex, traditional
concern for the Banking Basel Committee on Banking assessment tools i.e., MIS and DSS do not
Industry. Supervision which aims to: work.
It exposed weak a) Strengthen the regulation & Thus, AI powered tools are used.
financial & risk supervision For this, data from CBS is transferred to
management system in b) Strengthen risk data warehouse for analysis/ data mining
Banks. management using AI tools.
c) Enhance its ability to This helps in identifying hidden trends which
absorb financial shock. helps in risk Assessment
It specifies capital adequacy This improves Risk management of Bank and
norms for Banks based on Risk in turn assessment of capital adequacy
assessment. under BASEL III.

28 | P a g e