Wednesday, April 28, 2010

Make phone banking more secure or face penalty: RBI to banks

Press Trust of India / New Delhi April 25, 2010, 15:07 IST

Banks will have to soon put in place an additional authentication cover for their credit and debit card customers transacting over phone, or get penalised.
    
Taking forward its efforts to tackle identity frauds in non-branch banking transactions, the Reserve Bank has asked all the banks operating in the country to put in place by next year a system where credit and debit card customers would need to provide an additional password for IVR (interactive voice response) transactions.

    
IVR transactions are done over phone, wherein customers dial bank's customer care number and are prompted by a recorded voice to dial designated digits for different kinds of transactions such as balance enquiry, bill payment etc.
    
The customers would now need to key-in an additional password on their phone, besides the currently prevalent details like card number, date of birth, card issue or expiry date and in some cases a telephonic password.
    
As RBI has also noted, there has been a stupendous rise in recent past in the banking transactions through channels other than the traditional branch banking. Such non- traditional routes include Internet, mobile and phone banking.
    
However, these new-age banking transaction routes are considered to be relatively more prone to identity frauds and the credit or debit cards could be misused by those other than their bonafide owners.
    
To tackle this menace, RBI last year asked the banks to put in place April 2009 onwards "a system of providing for additional authentication/validation based on information not visible on the cards" for transactions where card was actually not presented.
    
While this directive covered online transactions, it did not apply to IVR transactions and RBI had said at that time that "separate instructions will follow" for the same.
    
In both online and IVR transactions, a card is not actually presented for conducting the transactions, unlike the transactions at ATMs or merchant establishment where a credit or debit card needs to be swapped for credit or debit to take place from the customer's account.
    
However, RBI has now decided to "extend this requirement of additional authentication/validation to all CNP (card not present) transactions including IVR transactions."
    
This additional security codes would need to be different than those visible on the cards, such as the card number, CVV (card verification value, which is printed on the back of the card), date of birth and date of issue and expiry.
    
As these are visible on a card, a non-bonafide customer, having seen the card at places LIKE merchant establishments, can use them to transact in the account over phone.
Besides, the banks would also need to put in place a system of 'Online Alerts' to the cardholder for all 'card not present' transactions of the value of Rs 5,000 and above.
    
RBI has asked the banks to implement these additional security measures for all CNP transactions by January 1, 2011.
    
"Banks are advised to strictly adhere to the instructions and time discipline indicated in this circular. Non-adherence to the directions shall attract penalties...," RBI said in a circular to the chiefs of all banks operating in the country.
    
These include Scheduled Commercial Banks, Regional Rural Banks, Urban Co-operative Banks, State Co-operative Banks and District Central Co-operative Banks.

No comments:

Post a Comment