Risks Associated with the Banking Activities :
Risk is a function of probability or likelihood of occurrence and the significance of the impact. Risk implies vulnerability and threat. The key is the impact as an event may have a very low probability of occurrence or even remote probability but the impact could be disastrous. In such cases risks do not get identified or get due focus thus diluting controls necessary for their mitigation. Another key factor is the speed at which risks permeate through the entity once affected. Globalization of the economy has led to integration of world economies & increased the risks & an event occurring anywhere in the world can have an impact on Banks in India.
Risks associated with banking activities can be broadly categorised as follows:
a) Concentration risk: Banking risks increase with the degree of concentration of a bank’s exposure to any one customer, industry, geographic area or country. For example, a bank’s loan portfolio may have large concentrations of loans or commitments to particular industries, and some, such as real estate, shipping and natural resources, may have highly specialized practices. Assessing the relevant risks relating to loans to entities in those industries may require knowledge of these industries, including their business, operational and reporting practices.
b) Country risk: The risk of foreign customers and counterparties failing to settle their obligations because of economic, political and social factors of the counterparty’s home country and external to the customer or counterparty.
c) Credit risk: The risk that a customer or counterparty will not settle an obligation for full value, either when due or at any time thereafter. Credit risk, particularly from commercial lending, may be considered the most important risk in banking operations. Credit risk arises from lending to individuals, companies, banks and governments. It also exists in assets other than loans, such as investments, balances due from other banks and in off balance sheet commitments. Credit risk also includes country risk, transfer risk, replacement risk and settlement risk.
d) Currency risk: The risk of loss arising from future movements in the exchange rates applicable to foreign currency assets, liabilities, rights and obligations.
e) Fiduciary risk: The risk of loss arising from factors such as failure to maintain safe custody or negligence in the management of assets on behalf of other parties.
f) Interest rate risk: The risk that a movement in interest rates would have an adverse effect on the value of assets and liabilities or would affect interest cash flows.
g) Legal and documentary risk: The risk that contracts are documented incorrectly or are not legally enforceable in the relevant jurisdiction in which the contracts are to be enforced or where the counter parties operate. This can include the risk that assets will turn out to be worthless or liabilities will turn out to be greater than expected because of inadequate or incorrect legal advice or documentation. In addition, existing laws may fail to resolve legal issues involving a bank; a court case involving a particular bank may have wider implications for the banking business and involve costs to it and many or all other banks; and laws affecting banks or other commercial enterprises may change. Banks are particularly susceptible to legal risks when entering into new types of transactions and when the legal right of the counterparty to enter into a transaction is not established.
h) Liquidity risk: The risk of loss arising from the changes in the bank’s ability to sell or dispose of an asset. The risk of liquidity risk turning into a solvency risk needs to be monitored as risk can swiftly move across the entity.
i) Modelling risk: The risk associated with the imperfections and subjectivity of valuation models used to determine the values of assets or liabilities.
j) Operational risk: The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.
k) Price risk: The risk of loss arising from adverse changes in market prices, including interest rates, foreign exchange rates, equity and commodity prices and from movements in the market prices of investments.
l) Regulatory risk: The risk of loss arising from failure to comply with regulatory or legal requirements in the relevant jurisdiction in which the bank operates. It also includes any loss that could arise from changes in regulatory requirements. For example, money laundering risk is a Regulatory risk. (The circular – DBS.CO.PP.BC.6/11.01.005/2006-07 dated April 20, 2007 on “Compliance Function in Banks” which lays down detailed requirements in respect of compliance related aspects such as compliance risk,responsibility of the Board of Directors, responsibility of the senior management, compliance policy, compliance structure, compliance principles, process, procedures, compliance programme, etc. is relevant).
m) Replacement/Performance risk: The risk of failure of a customer or counter party to perform the terms of a contract. This failure creates the need to replace the failed transaction with another counter party at the current market price. This may result in a loss to the bank equivalent to the difference between the contract price and the current market price.
n) Reputational risk: The risk of losing business because of negative public opinion and consequential damage to the bank’s reputation arising from
failure to properly manage some of the above risks, or from involvement in improper or illegal activities by the bank or its senior management, such as money laundering or attempts to cover up losses.
o) Settlement risk: The risk that one side of a transaction will be settled without value being received from the customer or counter party. This will generally result in the loss to the bank of the full principal amount.
p) Solvency risk: The risk of loss arising out of possibility of bank not having sufficient value of assets to meet its obligations on the due date, whereas
liquidity risk means the risk related to disposal of assets.
q) Transfer risk: The risk of loss arising when a counter party’s obligation is not denominated in the counterparty’s home currency. The counterparty may be unable to obtain the currency of the obligation irrespective of the counterparty’s particular financial condition.
r) Volatility risk: This is a type of market risk which specifically pertains to option positions. An increase in the volatility of the price of the instrument
underlying the option will generally result in an increase in the value of any bought (long) option position. The opposite will apply for a decrease in
volatility.
Following are examples of some events/ transactions that give rise to one or more of the above mentioned risks (though they may not have a direct impact on the financial statements of a bank:
Cyber Risks – Use of Internet / Mobile Banking has changed the dimension of banking and with it resulted in new risks – Cyber risks or risks associated due to Identity Thefts, Hacking, Spam, Phishing / Vishing / Dos or DDos attacks, e-mail spoofing, virus attacks, Use of malicious codes, compromise of digital signatures etc., resulting in loss or compromise of data is very common. Risks associated with usage of Debit & Credit Cards or through ATM operations are also increasing.
Cyber criminals can commit a crime much faster than conventional fraudsters plus have the added advantage of anonymity. The level of
anonymity makes attempting and successfully conducting a cyber crime relatively easier than conventional frauds. It also makes dealing with cyber
criminals a daunting aspect.
Usage of Social Networking sites has exploded over the past few years especially amongst the youth. Personal information is routinely exchanged
on a real time basis on social networking sites. This is misused by people purporting to be trusted members of the group while in eventuality they may be fraudsters. Confidential private information exchanged over emails also can be easily tracked and misused.
Hacking or Cracking means illegal intrusion into the information on a computer system or network. The motive could include greed, power,
revenge, adventure, desire to access forbidden information, destructive mindset and wanting to sell to earn revenue.
Phishing refers to the acquiring of sensitive information such as user names, passwords or credit card details by masquerading as a trustworthy
entity in an electronic communication. The word is an eulogy of the fishing technique of using a bait to lure the victim. It directs users to enter details
on a fake website whose look and feel are almost identical to the legitimate one. It exploits the user’s trust in not being able to identify the site being
visited or the program being used is not the real one.
Vishing and Smishing are phone scams similar to “phishing”. Vishing is a telephone call claiming to be from a legitimate company requesting your
personal information to resolve an urgent financial matter Smishing is accomplished through text messages on a cell phone by asking a person to
call a particular number or click on a link that could contain malicious code that could potentially steal information stored in that person’s cell phone without his/her knowledge.
Data theft is aided by use of hand held devices like flash drives, I-pods, digital cameras and the ability to transmit large amounts of data quickly vide e-mail, web pages, USB drives, DVD storages & other hand held devices.
E mail spoofing is sending an email to another person in such a way that it appears that the email was sent by someone else. The mail appears to originate from one source but is actually sent from another source.
Denial of Service or DOS attacks floods the bandwidth of the victim’s network or fills his email box with spam mail depriving him of service that he
is entitled to access or provide.
Dissemination of viruses by use of malicious software that attaches itself to other software. Some of the common viruses are Virus worms, Trojan
horse, Web jacking, Email bombing.
Impersonation: A crime in which an imposter obtains key pieces of personal information in order to impersonate someone else. The imposter the identity of that person to make transactions, purchases or get loans or credits. This could also be done for illegal immigration, hiding from
creditors or people who want to be anonymous for personal reasons. The person whose identity is assumed suffers various consequences as a result
of being held responsible for the perpetrators actions.
Botnets – networks of compromised computers, controlled by remote attackers in order to perform such illicit tasks as sending spam or attacking
other computers.
Malvertising – is a method whereby users download malicious code by simply clicking at some advertisement on any website that is infected.
Cyber Extortion: refers to blackmailing the victim and extorting money to stop the DOS attacks or give back the information stolen or discontinue
vandalism etc.
Cyber Terrorism / Warfare: Refers to Distributed Denial of service attacks, hate websites and hate emails, attacks on service network etc.
Computer Vandalism refers to damaging or destroying data rather than stealing or misusing it. Programs are used which attach themselves to a file and then circulate.
PUPs (Potentially Unwanted Programs) are less harmful but annoying malware which installs unwanted software in your system including search
agents and toolbars.
Software piracy through either theft or illegal copying of genuine programs or by counterfeiting and distribution of product intended to be passed as originals.
Misuse of Digital Signature: If the private key is not stored securely, it can be misused without the knowledge of the owner of the Private key to issue unauthorized digital certificates for cyber espionage, malware diffusion or sabotage.
Man in the Middle Attacks (MITM) refers to attacks where the attacker secretly relays or possibly alters the communication between two parties
who believe they are directly communicating with each other. The attacker intercepts all messages between the two victims and injects new ones and
in fact controls the entire conversation.
Credit Card Frauds – involving Debit or Credit cards for obtaining goods without paying or obtaining unauthorized funds from an account.
Use of fake identities, documentations or impersonation to obtain genuine cards.
Using a stolen or lost Credit card for illegal purchases before the holder notifies the issuing bank and the issuing bank puts a block on the account.
Skimming is the theft of payment card information used in a legitimate manner by using basic methods like photocopying receipts or advanced
methods like using small electronic devices (skimmers) to swipe & store hundreds of victim card numbers.
Tele Phishing is obtaining a list of individuals with their name & phone numbers luring victims into thinking that they are speaking with a trusted
organization while handing over sensitive information such as card details.
A Merchant at a POS(Point of Sale) terminal may allow a fraudster to get goods on a stolen credit card for consideration. He may provide the details of customer cards to the fraudster for a consideration. He can connive with the fraudster & allow him to substitute the imprinter to collect data which can then be used to multiply cards.
The merchant may at times swipe the card for a nonexistent transaction & accommodate another by lending him money from the value of the
transaction he has received from the paying bank.
At times a card holder may himself declare the card as stolen or lost to the issuer. Soon after he himself uses the card to its limits. The loss on the card post intimation is the loss of the banker / issuer & gains are made in this manner.
Various credit cards are applied simultaneously at the same time by a fraudster with no previous default history & with the intention to use the card to the fullest and not to repay. At times the fraudster may agree to a one time settlement of the dues at a much lesser amount than what he owes.