ATM Risk Management and Controls - EuroJournals
ATM Risk Management and Controls - EuroJournals
ATM Risk Management and Controls - EuroJournals
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
165 European Journal of Economics, Finance <strong>and</strong> Administrative Sciences - Issue 21 (2010)<br />
<strong>Management</strong> <strong>Risk</strong> Analysis<br />
<strong>Management</strong> risk analysis identifies the nature of risk involved in detail. This evaluation helps the<br />
financial institution to decide whether it is necessary to have controls to overcome losses which may<br />
arise from various risks associated with the <strong>ATM</strong>s. A plan is normally formulated as to how these<br />
<strong>ATM</strong> risks are going to be identified, what methods are going to be used to overcome these<br />
risks/threats, <strong>and</strong>, if a fraud or a misuse should occur, how much loss is expected <strong>and</strong> how Bank is<br />
going to recover.<br />
This is the highest risk category that requires the strongest controls since online transactions are<br />
often irrevocable once executed. The bank’s internet systems may be exposed to internal or external<br />
attacks if controls are inadequate. A heightened element of risk is that attacks against internet systems<br />
do not require physical presence at the site being attacked. At times, it is not even clear or detectable as<br />
to when <strong>and</strong> how attacks are launched from multiple locations in different countries<br />
In view of the proliferation <strong>and</strong> diversity of cyber attacks, banks should implement two-factor<br />
authentication at login for all types of internet banking systems <strong>and</strong> for authorising transactions. The<br />
principal objectives of two-factor authentication are to protect the confidentiality of customer account<br />
data <strong>and</strong> transaction details as well as enhance confidence in internet banking by combating phishing,<br />
key logging, spyware, malware, middleman attacks <strong>and</strong> other internet-based scams <strong>and</strong> malevolent<br />
exploits targeted at banks <strong>and</strong> their customers.<br />
Two factor authentications for system login <strong>and</strong> transaction authorisation can be based on any<br />
two of the following factors:<br />
• What you know (eg. Personnel Identification Number)<br />
• What you have (eg. One Time Password token)<br />
• Who you are (eg. Biometrics) comprises methods for uniquely recognizing humans<br />
based upon one or more intrinsic physical traits<br />
<strong>Risk</strong> analysis provides the financial institution with variable information as to how much<br />
investment it should make to enhance the security <strong>and</strong> controls of its <strong>ATM</strong> installation.<br />
The EDP Audit Control <strong>and</strong> Security Newsletter (March 1991) indicated that risk analysis involves 4<br />
steps.<br />
• Reviewing the existing <strong>ATM</strong> centre environment<br />
• Identifying the critical information processing of <strong>ATM</strong> applications<br />
• Estimating the value of the <strong>ATM</strong> assets used by these application that must be<br />
protected<br />
• Quantifying the estimated loss associated with the occurrence of a fraudulent misuse<br />
of cards of unauthorised withdrawals etc.<br />
Reviewing the Existing Operation of the <strong>ATM</strong> Installation<br />
It is essential that management identify all the various hazards to which <strong>ATM</strong> centre is exposed,<br />
including natural disasters or otherwise. The management normally identifies the controls that are in<br />
operation that are to reduce the possible impact of these risks/threats. <strong>Controls</strong> of all kinds which are<br />
applicable to the Automated Teller Machine must be identified.<br />
Even though the existing <strong>ATM</strong> controls may appear to be in operation, the management must<br />
make sure that maintenance is preformed to ensure that the controls will be effective in the event of a<br />
fraud or misuse. John Page <strong>and</strong> Paul Hooper (1987) indicated that compliance testing is used to<br />
determine the following:<br />
• To determine whether the necessary controls are in place.<br />
• To provide reasonable assurance that the controls are functioning properly<br />
• To document when, how, <strong>and</strong> by whom, the controls are preformed.<br />
The management may recommend that some of these controls be changed, implement or<br />
modified in ways that minimize the relevant risks <strong>and</strong> the exposure associated with them.