ATM Risk Management and Controls - EuroJournals

More documents

Recommendations

Info

168 European Journal of Economics, Finance and Administrative Sciences - Issue 21 (2010) • Retained cards – these ATM cards pose an even greater risk, if they fall into the wrong hands and are misused. • Inadequate supervision of embossing of the card. • Stolen cards not being reported immediately • Stocks of blank cards could lead to unauthorised cards being issued leading to fraud. 2. Business Process Controls In general no one person should handle all the transactions. This can be achieved by proper segregation of duties. Appropriate control should be included during reconciliation, verification of withdrawals and date/time of transactions was completed. Application Close supervision is necessary within the embossing department, where control on card issuance should be rigorous after embossing. Furthermore the envelopes should be issued based on a predetermined control number. During hours of non-production, the embossing department should be kept locked. Personnel having access to cards must be denied access to PINs whenever cards are prepared and processed. There should be two staff in charge of the process in order to have dual accountability for stock. Security and Control of PIN (Personal Identification Number) A PIN is a “personal identification number” . This is a number consisting of four numerical characters which is essentially a cardholder’s password. PINs can be assigned by the institution or can be customer selected. PINs which are generated for the customer can be derived from the customer’s account number and a logarithm used. These PINs are normally stored in an encrypted form at the ATM. A temporary PIN is issued which can be used at the ATM immediately. Later the customer has the choice of selecting his own PIN number at the ATM. Risks/Threats There are a number of risks involved in the management of PIN numbers:- 1 There is the integrity of the PIN itself. If control and security is not tight, the method of selecting PIN or encryption keys may become known and duplicated PINs and mailers be prepared. 2 The PIN mailers are intercepted during mailing. 3 PINs longer than four digits are security hazards, as holders may be tempted to write down their number to remember them. 4 Issuing replacement PIN numbers to customers. If the person making the request has stolen the card or is not authorised to use it, the true owner of the card stands to lose a substantial sum of money. Application Controls For controls and security purpose the PIN which is in encrypted form is stored in a database file for security purposes. The PIN mailers are prepared separately. The PIN is only activated upon the use of the card by the customer at the ATM. Adequate control should be carried out when PIN is produced for mailing. Mailing of the PIN is carried out subsequent to card mailing. The PIN is forwarded to the customer in a separate mailer on a different day. For security reasons all systems documentation concerning PIN generation/encryption and decryption keys must be under tight control at all times. Furthermore, extreme care must be taken when requests for new PINs are made. It is important for security reasons that the request for a new PIN should be in writing.
169 European Journal of Economics, Finance and Administrative Sciences - Issue 21 (2010) For control purposes confirmation of numbers of PINs generated must be carried out against the total application approved. It is recommended that the customer’s PIN should not be displayed on the PIN mailer. For control and security reasons the PIN mailers should not have direct reference or correlation to the customer’s account number or identification of the financial institution. The PIN must be scrambled or encrypted if printed or displayed on terminal screens. Other Controls are as follows:- • Access controls and authorisation to any addition, deletion or changes to ATM transaction details should be implemented. • Any changes to cardholder details should be authorised by the officer at the next level. • Realistic maximum transaction and maximum daily total limits should be implemented for ATM withdrawals. • Printed receipts should be dispensed by the ATM for every ATM transaction. • Every ATM transaction should be acknowledged by e-mail or a short message script sent to the mobile phone to confirm or alert the user that a transaction was performed. 3. Platform Controls Controls to consider should include:- I. Encryption II. Algorithm III. Communication Controls i. Communication protocols ii. Encryption protocols etc Measure to Use if Fraud does occur at the ATMs Unfortunately, losses and security breaches do occur. It is important to have a recovery procedure which will identify if losses occur through the ATMs. Normally insurance companies provide banks with a Bankers Insurance Coverage, which includes losses that “the cover needed will vary depending upon the risk”. It is important for financial institutions to have a straight loss control program in order to fully protect its ATM customers itself. In addition to the Bankers Insurance cover there is also computer crime insurance cover. This covers all transfers of funds which are lost as a result of a fraudulent input into system. On its own, technology will never solve the problems of an inefficient and poorly managed institution. At such an institution, technology may just automate problems and highlight inefficiencies. ATMs require a high degree of additional control beyond those traditionally employed by financial service providers. Institutions need to make sure they are able to track funds that have been deposited into the ATMs but not yet accounted for in central accounts as fraud or errors may be involved with the deposit. When initiating new technologies such as offering financial services through ATMs, institutions must be prepared to educate clients on the benefits and train them in the use of the new technology. Failing to do so can reduce adoption rates and/or lead to a rejection of the technology by the targeted clients. Clients are often relationship oriented and enjoy person-to-person transactions. These transactions build trust and familiarity while automating processes can depersonalize services and alienate clients. This must be considered and adequately planned for, when switching from highly personalized services to automated transactions.
Page 1 and 2: European Journal of Economics, Fina
Page 3 and 4: 163 European Journal of Economics,
Page 5 and 6: 165 European Journal of Economics,
Page 7: 167 European Journal of Economics,
Page 11: 171 European Journal of Economics,

ATM Risk Management and Controls - EuroJournals

Create successful ePaper yourself

Delete template?

Save as template?