Liability Shift
a. Where a non EMV card is used on a non EMV Terminal and a fraud occurs,
liability is on either the Card Issuer or the Card Holder. Proof has to be
established on which party compromised card details.
b. Where a non EMV card is used on an EMV Terminal and fraud occurs, liability
is on the Card Issuer
c. Where an EMV card is used on a non EMV Terminal and fraud occurs, liability
is on the Acquirer
d. Where an EMV card is used on an EMV Terminal and fraud occurs, liability is
on the Card Holder or the Issuer. However, the onus is on the cardholder to
8
prove that their PIN had not been disclosed to a third party willingly or
negligently.
e. Where a hybrid card is used on a non EMV Terminal and fraud occurs, liability
is on the Acquirer
f. Where a hybrid card is used on an EMV Terminal and card treated as magnetic
stripe for authorization and fraud occurs, liability is on the Card Issuer
g. Where a hybrid card is used on an EMV Terminal and card treated as EMV for
authorization and fraud occurs, liability is on the Card Holder or the Issuer.
However, the onus is on the cardholder to prove that his/her PIN had not been
disclosed to a third party willingly or negligently.
Friday, May 20, 2011
Thursday, December 30, 2010
INFORMATION ABOUT CHIP AND PIN TECHNOLOGY
A Cambridge University professor has accused the bank cards industry of making a ''very nasty attempt at censorship'' over a flaw in chip and PIN technology.
The UK Cards Association (UKCA), which represents the country's biggest banks, wrote to the university to try to remove the online publication of research which shows how a £20 hand-held device could be used to buy goods without entering the correct PIN.
Melanie Johnson, a former Labour Treasury minister who is now chair of the UKCA, wrote to the university's director of communications earlier this month saying the publication ''oversteps the boundaries of what constitutes responsible disclosure''.
She (news) said the paper, The Smart Card Detective, by MPhil research student Omar Choudary, ''places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN''.
She said the type of attack described was ''difficult to undertake'' and ''unlikely to interest genuine fraudsters'' but said the ''level of detail'' published was worrying and asked for the research to be removed.
And she said police had expressed concern the student ''was allowed to falsify a transaction in a shop in Cambridge (E2:J91U.SI - news) without first warning the merchant''.
Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory, said: ''This was absolutely unacceptable. It was a very very nasty attempt at censorship.''
He said exposing vulnerabilities in the system was an example of ''responsible disclosure'' and said the industry had been guilty of ''sitting on their butts and doing nothing'' since he and fellow scientists first revealed the flaw in late 2009.
In a response letter dated December 24, he wrote: ''You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient.
''This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.''
He continued: ''You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.''
Prof Anderson said he had authorised the thesis to be issued as a Computer Laboratory (Dusseldorf: LAB.DU - news) technical report, saying: ''This will make it easier for people to find and to cite, and will ensure that its presence on our website is permanent.''
He said there was no basis for police concern as there was no intent to commit fraud, as the card holder gave his consent and the merchant was paid.
He added that Barclays Bank (NYSE: BCS-PA - news) did appear to have closed the technological loophole although other banks were yet to fix the problem.
A UKCA spokeswoman said: ''The UK Cards Association has written to Cambridge not to challenge the work of the university's security academics but only to challenge whether publishing explicit details of how to attempt a fraud - specifically one which there is no evidence of a fraudster yet undertaking - is necessary and serving the public's best interest.
''We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters - as unfortunately it is only the fraudsters who stand to gain from any lack of cooperation between us.''
She said it was questionable whether publishing a ''DIY guide for fraudsters'' was ''in the best interests of the card-holding public''.
And she said while ''nothing is 100% secure'' fraud on UK issued cards had dropped to £186.8 million in the first six months of the year, down 20% on the same period in 2009.
The UK Cards Association (UKCA), which represents the country's biggest banks, wrote to the university to try to remove the online publication of research which shows how a £20 hand-held device could be used to buy goods without entering the correct PIN.
Melanie Johnson, a former Labour Treasury minister who is now chair of the UKCA, wrote to the university's director of communications earlier this month saying the publication ''oversteps the boundaries of what constitutes responsible disclosure''.
She (news) said the paper, The Smart Card Detective, by MPhil research student Omar Choudary, ''places in the public domain a blueprint for building a device which purports to exploit a loophole in the security of chip and PIN''.
She said the type of attack described was ''difficult to undertake'' and ''unlikely to interest genuine fraudsters'' but said the ''level of detail'' published was worrying and asked for the research to be removed.
And she said police had expressed concern the student ''was allowed to falsify a transaction in a shop in Cambridge (E2:J91U.SI - news) without first warning the merchant''.
Ross Anderson, professor of security engineering at Cambridge University's Computer Laboratory, said: ''This was absolutely unacceptable. It was a very very nasty attempt at censorship.''
He said exposing vulnerabilities in the system was an example of ''responsible disclosure'' and said the industry had been guilty of ''sitting on their butts and doing nothing'' since he and fellow scientists first revealed the flaw in late 2009.
In a response letter dated December 24, he wrote: ''You seem to think that we might censor a student's thesis, which is lawful and already in the public domain, simply because a powerful interest finds it inconvenient.
''This shows a deep misconception of what universities are and how we work. Cambridge is the University of Erasmus, of Newton, and of Darwin; censoring writings that offend the powerful is offensive to our deepest values.''
He continued: ''You complain that our work may undermine public confidence in the payments system. What will support public confidence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it.''
Prof Anderson said he had authorised the thesis to be issued as a Computer Laboratory (Dusseldorf: LAB.DU - news) technical report, saying: ''This will make it easier for people to find and to cite, and will ensure that its presence on our website is permanent.''
He said there was no basis for police concern as there was no intent to commit fraud, as the card holder gave his consent and the merchant was paid.
He added that Barclays Bank (NYSE: BCS-PA - news) did appear to have closed the technological loophole although other banks were yet to fix the problem.
A UKCA spokeswoman said: ''The UK Cards Association has written to Cambridge not to challenge the work of the university's security academics but only to challenge whether publishing explicit details of how to attempt a fraud - specifically one which there is no evidence of a fraudster yet undertaking - is necessary and serving the public's best interest.
''We remain hopeful that the academics concerned will work with us rather than against us to help defeat the fraudsters - as unfortunately it is only the fraudsters who stand to gain from any lack of cooperation between us.''
She said it was questionable whether publishing a ''DIY guide for fraudsters'' was ''in the best interests of the card-holding public''.
And she said while ''nothing is 100% secure'' fraud on UK issued cards had dropped to £186.8 million in the first six months of the year, down 20% on the same period in 2009.
Thursday, August 26, 2010
THE LIKELY CAUSES OF CARD FRAUD IN NIGERIA AND SUGGESTED WAYS TO MITIGATE SAME
THE LIKELY CAUSES OF CARD FRAUD IN NIGERIA AND SUGGESTED WAYS TO MITIGATE SAME
CAUSES OF FRAUD
SUGGESTED WAY FORWARD
1
Opening cards to all kind of payment channels (ATM, POS, Web and Mobile) expose cardholders to all manner of risk.
· Banks to give customer options to choose channels for using his card.
2
Card not present (Use of card information on web or Point of Sale (POS) without the physical card)
· Second level authentication should be mandatory for all “card not present” transactions
· Each bank to set transaction limits for its customers for Card Not Present Transactions.
3
Phishing emails/text messages purporting to be from Banks,CBN,Switch, or other reputable organizations in order to obtain card details from cardholders
· Enlightenment campaign on protection of PIN/card details for cardholders
· SMS alerts for all card payments.
4
Counterfeiting/cloning of cards
· Fast-track the migration to chip+PIN or EMV card to make cloning difficult.
· All terminals should be EMV compliant
· Disable fall back of data of EMV card to magnetic stripe details where the CHIP fails to function.
5
PIN Brute Force: Attempts to guess PIN of cardholders using a system approach.
· Banks to have real-time online monitoring tools for PIN entry attempts
· Automatic deactivation of card after unsuccessful PIN attempts (like 3times).
6
Prepaid Card issues: Loading cash card from ATM cards without limits or adequate controls. Enabling card to Card transfer on this scheme.
· All card issuance should be subjected to CBN approval and based on approved Guidelines
· Set limit for card to card transfers, POS and web payments or outright deactivation of card to card transfer.
· Restrict Prepaid card usage for particular schemes such as payment of school fees or payment of fuel at filling station ie restricting the prepaid cards to the a single web site or terminal tied to the scheme.
7
Never Received Issue: Fraud using a card that is yet to be received by a cardholder
· Activation of cards should only be done after delivery.
· Enable external banking facility only after the cardholder has collected the card and PIN.
· Banks to segregate the process of PIN handling and card activation.
8
Internal compromise within the bank or a Switch
· Segregate the duties of PIN handling and card activation.
9
Merchant compromise
· Proper due diligence should be done on all merchants before POS is given to them.
· Categorise merchants by transaction limits that would be set based on trends of their sales.
· Introducing a second level authentication for high volumn POS transactions.
· E-payments without second level authentication should be allowed for schools and airlines only subject to a maximum limit set.
10
Friendly compromise between cardholder and his associates
· Enlightenment campaign on protection of PIN/card details for cardholders
· SMS alerts for all card payments that will enable the cardholder to block such card if fraudulent.
11
Card skimming: Use of fake key Pad or other scheming device to get card details
· Fast-track the migration to EMV cards
· Regular ATM monitoring
12
Shoulder surfing at ATM locations to steal card information
· Position the ATMs in such a way that cardholders’ PIN entry would be protected
· Cardholder education on PIN protection
13
Transactions with same card details performed at different locations (eg Lagos and Enugu) within unimaginable timeframe (eg. 10 minutes)
· Mandate banks to have a standard convention of naming all their terminals with their identification number and location addresses
· Collaborative efforts by all Banks and switches to set adequate roles in their fraud monitoring software to decline such transactions that fall below the set roles.
· Once the above is achieved, banks should have an online monitoring system to track such transactions and disallow it.
14
Cash retract issues: Allowing ATM to take some currency notes back after dispensing
· Banks to disable cash retract and release card after cash
15
Dispensing error
· Banks to be proactive by automating the reversal of dispensing error in respect of “on us” transactions.
· Banks that fail to respond within 72 hours on dispensing error in respect of “not on us” transactions should be debited accordingly
· Standard charge back procedures of Visa and MasterCard should be explored
CAUSES OF FRAUD
SUGGESTED WAY FORWARD
1
Opening cards to all kind of payment channels (ATM, POS, Web and Mobile) expose cardholders to all manner of risk.
· Banks to give customer options to choose channels for using his card.
2
Card not present (Use of card information on web or Point of Sale (POS) without the physical card)
· Second level authentication should be mandatory for all “card not present” transactions
· Each bank to set transaction limits for its customers for Card Not Present Transactions.
3
Phishing emails/text messages purporting to be from Banks,CBN,Switch, or other reputable organizations in order to obtain card details from cardholders
· Enlightenment campaign on protection of PIN/card details for cardholders
· SMS alerts for all card payments.
4
Counterfeiting/cloning of cards
· Fast-track the migration to chip+PIN or EMV card to make cloning difficult.
· All terminals should be EMV compliant
· Disable fall back of data of EMV card to magnetic stripe details where the CHIP fails to function.
5
PIN Brute Force: Attempts to guess PIN of cardholders using a system approach.
· Banks to have real-time online monitoring tools for PIN entry attempts
· Automatic deactivation of card after unsuccessful PIN attempts (like 3times).
6
Prepaid Card issues: Loading cash card from ATM cards without limits or adequate controls. Enabling card to Card transfer on this scheme.
· All card issuance should be subjected to CBN approval and based on approved Guidelines
· Set limit for card to card transfers, POS and web payments or outright deactivation of card to card transfer.
· Restrict Prepaid card usage for particular schemes such as payment of school fees or payment of fuel at filling station ie restricting the prepaid cards to the a single web site or terminal tied to the scheme.
7
Never Received Issue: Fraud using a card that is yet to be received by a cardholder
· Activation of cards should only be done after delivery.
· Enable external banking facility only after the cardholder has collected the card and PIN.
· Banks to segregate the process of PIN handling and card activation.
8
Internal compromise within the bank or a Switch
· Segregate the duties of PIN handling and card activation.
9
Merchant compromise
· Proper due diligence should be done on all merchants before POS is given to them.
· Categorise merchants by transaction limits that would be set based on trends of their sales.
· Introducing a second level authentication for high volumn POS transactions.
· E-payments without second level authentication should be allowed for schools and airlines only subject to a maximum limit set.
10
Friendly compromise between cardholder and his associates
· Enlightenment campaign on protection of PIN/card details for cardholders
· SMS alerts for all card payments that will enable the cardholder to block such card if fraudulent.
11
Card skimming: Use of fake key Pad or other scheming device to get card details
· Fast-track the migration to EMV cards
· Regular ATM monitoring
12
Shoulder surfing at ATM locations to steal card information
· Position the ATMs in such a way that cardholders’ PIN entry would be protected
· Cardholder education on PIN protection
13
Transactions with same card details performed at different locations (eg Lagos and Enugu) within unimaginable timeframe (eg. 10 minutes)
· Mandate banks to have a standard convention of naming all their terminals with their identification number and location addresses
· Collaborative efforts by all Banks and switches to set adequate roles in their fraud monitoring software to decline such transactions that fall below the set roles.
· Once the above is achieved, banks should have an online monitoring system to track such transactions and disallow it.
14
Cash retract issues: Allowing ATM to take some currency notes back after dispensing
· Banks to disable cash retract and release card after cash
15
Dispensing error
· Banks to be proactive by automating the reversal of dispensing error in respect of “on us” transactions.
· Banks that fail to respond within 72 hours on dispensing error in respect of “not on us” transactions should be debited accordingly
· Standard charge back procedures of Visa and MasterCard should be explored
Tuesday, July 6, 2010
OFFSITE ATMS IN NIGERIA AND CASH AVAILABILITY
OFFSITE ATMS IN NIGERIA AND CASH AVAILABILITY
Before now we use to have one independent deployer (ATMC) in operation in Nigeria competing with the banks till late last year 2009 when CBN licensed two other independent deployers (Cham Access and CSS) to complement the effort of ATMC who at then was struggling with difficult to find her feet in a fast moving industry. Investigation revealed that beyond other difficulties faced by ATMC in the few years it operated before now, was the greatest challenge of availability of cash to feed their ATMs when out of cash. The company struggled with banks in this area with little success as most of the owner banks have their own ATMs to support with cash. The Central Bank Of Nigeria did not help matters as they did not allow ATMC to source cash directly from CBN or put necessary steps in place for the take off of CIT companies rather they directed ATMC to source from the owner banks.
The Banks in their bid to render service to their customers started deploying their ATMS in all available spaces including public places like airport, Hotels etc as it was evident that ATMC before now could not muscle the financial strength nor have the Cash support to run the offsite ATM business.The CBN recently directed all Nigerian Banks to relocate the ATMs outside their business Office (better still hand over these ATMs to the IADs), in what many considered as a good step but wrong approach. In the build up to this decision, they mentioned that the banks were competing with the ATMs in the public places rather than render service and hence the need to regulate them and bring sanity into play. They also claimed that the decision will enable the banks to concentrate on their core business and free their staff for better service to the customers.
Good as their reasons and intention may sound, the IADs (Independent ATM Deployers) and the Banks are already confronted with the major concern of the ATM business in Nigeria. The availability of the raw material of the ATM business (Cash) required to support the ATMs so that the intention to get them running for 24/7 will be achieved. CBN in quick reaction by their Standards and Guidelines on ATM Teller Machine Operations in Nigeria released 2010 requested that the bank should continue to load the ATMs for the IADs after handing it over to the IADs.
The truth of the matter is that the absence of CIT Company in Nigeria will surely cripple this business if allowed to run the way CBN has proposed this business. The banks that will provision the cash for the IADs has their own ATMs to support first and foremost and now an added burden of rendering same service to the IADs with increased cost considering the security situation in the country. One wonders how the banks will recoup the cost of bullion van, police escort, dedicated staff for this function etc. We should also appreciate that sometimes these banks vault the money back from the ATMs to service the over the counter customers which will no longer be possible with this arrangement. Cash management will be become truly difficult for most branches with good number of ATMs offsite. This situation will force most branches/banks to begin to make preference and it is natural that they will prefer the ATMs within their absolute control.
One wonders what the exercise is all about considering the fact that bank staff are not freed any bit from these ATMs as canvassed by CBN before now. There is no provision of cash for the IADs rather, the bank were asked to continue to do the service now as a regulation rather than as service added to their customers. The issue of cash is central to the success of these offsite ATMs in Nigeria today and leaving the IADS fate to hang with the Banks who need these cash more is like postponing the doom days.
The increased cost of making this cash available for these ATMs is worthy of mention considering the fact that these ATMs are outside the business premises of the banks and require full complement of the bullion services especially in Nigeria of today. One wonders whether the bank will continue to incur this huge cost in the face of reduced profitability and high security cost. CBN must step into this and find a way to compensate the banks that has been forced to accept the role of CIT Company for the purpose of this ATM business for the offsite locations or better still put all necessary steps in motion to form an effective CIT COMPANY for this purpose as it is done abroad.
Before now we use to have one independent deployer (ATMC) in operation in Nigeria competing with the banks till late last year 2009 when CBN licensed two other independent deployers (Cham Access and CSS) to complement the effort of ATMC who at then was struggling with difficult to find her feet in a fast moving industry. Investigation revealed that beyond other difficulties faced by ATMC in the few years it operated before now, was the greatest challenge of availability of cash to feed their ATMs when out of cash. The company struggled with banks in this area with little success as most of the owner banks have their own ATMs to support with cash. The Central Bank Of Nigeria did not help matters as they did not allow ATMC to source cash directly from CBN or put necessary steps in place for the take off of CIT companies rather they directed ATMC to source from the owner banks.
The Banks in their bid to render service to their customers started deploying their ATMS in all available spaces including public places like airport, Hotels etc as it was evident that ATMC before now could not muscle the financial strength nor have the Cash support to run the offsite ATM business.The CBN recently directed all Nigerian Banks to relocate the ATMs outside their business Office (better still hand over these ATMs to the IADs), in what many considered as a good step but wrong approach. In the build up to this decision, they mentioned that the banks were competing with the ATMs in the public places rather than render service and hence the need to regulate them and bring sanity into play. They also claimed that the decision will enable the banks to concentrate on their core business and free their staff for better service to the customers.
Good as their reasons and intention may sound, the IADs (Independent ATM Deployers) and the Banks are already confronted with the major concern of the ATM business in Nigeria. The availability of the raw material of the ATM business (Cash) required to support the ATMs so that the intention to get them running for 24/7 will be achieved. CBN in quick reaction by their Standards and Guidelines on ATM Teller Machine Operations in Nigeria released 2010 requested that the bank should continue to load the ATMs for the IADs after handing it over to the IADs.
The truth of the matter is that the absence of CIT Company in Nigeria will surely cripple this business if allowed to run the way CBN has proposed this business. The banks that will provision the cash for the IADs has their own ATMs to support first and foremost and now an added burden of rendering same service to the IADs with increased cost considering the security situation in the country. One wonders how the banks will recoup the cost of bullion van, police escort, dedicated staff for this function etc. We should also appreciate that sometimes these banks vault the money back from the ATMs to service the over the counter customers which will no longer be possible with this arrangement. Cash management will be become truly difficult for most branches with good number of ATMs offsite. This situation will force most branches/banks to begin to make preference and it is natural that they will prefer the ATMs within their absolute control.
One wonders what the exercise is all about considering the fact that bank staff are not freed any bit from these ATMs as canvassed by CBN before now. There is no provision of cash for the IADs rather, the bank were asked to continue to do the service now as a regulation rather than as service added to their customers. The issue of cash is central to the success of these offsite ATMs in Nigeria today and leaving the IADS fate to hang with the Banks who need these cash more is like postponing the doom days.
The increased cost of making this cash available for these ATMs is worthy of mention considering the fact that these ATMs are outside the business premises of the banks and require full complement of the bullion services especially in Nigeria of today. One wonders whether the bank will continue to incur this huge cost in the face of reduced profitability and high security cost. CBN must step into this and find a way to compensate the banks that has been forced to accept the role of CIT Company for the purpose of this ATM business for the offsite locations or better still put all necessary steps in motion to form an effective CIT COMPANY for this purpose as it is done abroad.
Thursday, June 24, 2010
IMPORTANCE OF PAPER JOURNAL IN ATM OPERATION IN NIGERIA
IMPORTANCE OF PAPER JOURNAL IN ATM OPERATION IN NIGERIA
It is on record today that modern day ATM has two kind of journal for capturing the transaction details – the electronic journal and the traditional paper journal. The electronic journal is the latest addition which makes the ATM information easy to manage. You read the information remotely even if it is an offsite ATM. The convenience this has created in ATM administration and dispute resolution is so enormous that most deployers has almost forgotten the importance and need in keeping the traditional paper journal.
The details on the journal are key and comprehensive to the ATM administration and operation. It keeps track of access to the sensitive part of the machine, cash analysis, fault reporting etc. It is so sensitive that the CBN guideline recently released mandated all deployers of ATM to ensure that any ATM commissioned for operation must have the full complement of the journal (ejournal and traditional paper journal).
It is worthy of note to mention here too that experience has shown that the details on the ejournal can be manipulated and the figures re-presented for fraudulent intention which creates a serious challenge for dispute resolution and arbitration. This becomes more complicated when one considers the fact that the journal is always considered as the last arbiter in ATM dispute resolution and arbitration.
It is our opinion that Banks and all independent ATM Deployers should always and at all times ensure that the traditional paper journal is carefully retrieved from the ATM and stored away in a safe and conducive place, where it will be referenced always during dispute.
Central Bank of Nigeria ATM Operation Standard and Guideline recently released this year 2010 emphasized the need and usefulness of ATM paper journal in dispute resolution and arbitration. This is not taking the fact that ejournal is also important in ATM operation but there should not be complete reliance on it especially at Arbitration level.
It is also important to say here that the deployers should ensure that the quality of papers used is such that the print will last for a long time, considering that some transactions can be disputed after 2 or even 5yrs, infact the customer wants his money at any time.
There should be dual control on the access to the journal from the retrieving of the journal from the ATM to the storing base to ensure that no part of it is lost. This is key to giving credibility to the role the journal is playing in dispute resolution.
Considering our business environment in Nigeria, where we have all manner of card faudsters, it is has become very clear now more than ever before that the Banks and the independent deployers should take conscious effort to ensure that their Traditional Paper Journal is up to date and running at all times.
It is on record today that modern day ATM has two kind of journal for capturing the transaction details – the electronic journal and the traditional paper journal. The electronic journal is the latest addition which makes the ATM information easy to manage. You read the information remotely even if it is an offsite ATM. The convenience this has created in ATM administration and dispute resolution is so enormous that most deployers has almost forgotten the importance and need in keeping the traditional paper journal.
The details on the journal are key and comprehensive to the ATM administration and operation. It keeps track of access to the sensitive part of the machine, cash analysis, fault reporting etc. It is so sensitive that the CBN guideline recently released mandated all deployers of ATM to ensure that any ATM commissioned for operation must have the full complement of the journal (ejournal and traditional paper journal).
It is worthy of note to mention here too that experience has shown that the details on the ejournal can be manipulated and the figures re-presented for fraudulent intention which creates a serious challenge for dispute resolution and arbitration. This becomes more complicated when one considers the fact that the journal is always considered as the last arbiter in ATM dispute resolution and arbitration.
It is our opinion that Banks and all independent ATM Deployers should always and at all times ensure that the traditional paper journal is carefully retrieved from the ATM and stored away in a safe and conducive place, where it will be referenced always during dispute.
Central Bank of Nigeria ATM Operation Standard and Guideline recently released this year 2010 emphasized the need and usefulness of ATM paper journal in dispute resolution and arbitration. This is not taking the fact that ejournal is also important in ATM operation but there should not be complete reliance on it especially at Arbitration level.
It is also important to say here that the deployers should ensure that the quality of papers used is such that the print will last for a long time, considering that some transactions can be disputed after 2 or even 5yrs, infact the customer wants his money at any time.
There should be dual control on the access to the journal from the retrieving of the journal from the ATM to the storing base to ensure that no part of it is lost. This is key to giving credibility to the role the journal is playing in dispute resolution.
Considering our business environment in Nigeria, where we have all manner of card faudsters, it is has become very clear now more than ever before that the Banks and the independent deployers should take conscious effort to ensure that their Traditional Paper Journal is up to date and running at all times.
Tuesday, June 15, 2010
RETRACT OPTION IN ATM IN NIGERIA AND ASSOCIATED RISK
RETRACT OPTION IN ATM IN NIGERIA AND ASSOCIATED RISK
It is common knowledge that there are different brand of ATMs in operation in the Nigeria Market as at today. They include NCR, TRITON, Wincor etc. All the Banks in the country including the independent deployers are servicing the Nigeria market from these ranges of ATMs from Europe, America and Asia.
The availability of these ATMs around us has made cash withdrawal easier and simpler for the customers of the banks who hitherto queue up in the banking halls of Banks with their tally numbers waiting for their turn to withdraw Cash. They also made withdrawal of cash possible at odd hours of the day when banking halls are closed to business. ATM also encouraged the Cardholders to carry less of cash thereby running away from all sort of attacks from criminals. It increases the speed of transaction and also saves time.
ATM also came with its own issues to the cardholders and the bank which included, ATM not releasing cash to the cardholders after debiting the account of the customer, releasing less than what the cardholder requested and debiting the customer for the full amount (partial dispense), outright denial of service even at pressing times, outright fraud using the ATM, incessant Cash jam, frustrated customers from the listed issues, retraction of cash etc.
Beyond all the issues listed, we want to talk about the RETRACTION of cash by the ATM after the customer has failed to pick up the cash after the set period. This is a functionality that was build into the ATM by the developers to help the cardholder in situations he/she could not pick up the cash after the set period such that the ATM sucks back the cash and logs it in the journal which will be used by the bank or issuer to reverse the fund back to the customer’s account. This functionality operates almost the way in all the brand of ATMs in the Nigeria as at today.
It is common knowledge that while the ATM is dispensing Cash to the cardholder, it has the capability of counting and giving the cash analysis on the ATM journal for the purpose of dispute resolution and cash reconciliation. It is worthy of note too, that when the ATM is retracting cash, it has no such capability of counting and logging in the cash analysis of the amount sucked back, even when it bundle rejects or retracts the story is the same. The only information given on the journal as at today is that the cash was retracted.
In the light of the above, it is very possible for a fraudulent Cardholder, to request for N20,000 and when the machine presents the N20,000, he/she pick N10,000 (or any other amount but not the full amount) carefully and allow the machine to retract the balance after the set period. The same customer can log the complaint for the total reimbursement of the N20,000 which we know most Nigerian banks will pay hinging their approval on the journal position which will simply read ‘cash retracted’. Even when the bank does not want to pay, on the face of it, the customer’s position appears very superior and he/she can win it if he/she takes up to any regulator for adjudication.
Even when the bank or deployers reconciles the ATM cash (say on daily basis), the difference will be thrown out but how can the bank or deployer pin it down to the customer in question considering the traffic that hits the ATM in a day and the number of genuine reversals that would have taken place in the same ATM. Compounding the issues is also the fact that both the retracted and rejected cash are dropped in the same cassette even though there is a separation in the cassette.
We feel strongly that this is a major concern the ATM developers must look into considering the Nigeria business environment. We can now appreciate why some banks in Nigeria decided to disable the retract option of their ATMs to run away from the associated risk of this functionality.
OUR RECOMMENDATION:
The ATM developers should build the ATM in such a manner that it should have the capability of counting and logging in the cash analysis on the journal the way it does when it is dispensing cash.
It is common knowledge that there are different brand of ATMs in operation in the Nigeria Market as at today. They include NCR, TRITON, Wincor etc. All the Banks in the country including the independent deployers are servicing the Nigeria market from these ranges of ATMs from Europe, America and Asia.
The availability of these ATMs around us has made cash withdrawal easier and simpler for the customers of the banks who hitherto queue up in the banking halls of Banks with their tally numbers waiting for their turn to withdraw Cash. They also made withdrawal of cash possible at odd hours of the day when banking halls are closed to business. ATM also encouraged the Cardholders to carry less of cash thereby running away from all sort of attacks from criminals. It increases the speed of transaction and also saves time.
ATM also came with its own issues to the cardholders and the bank which included, ATM not releasing cash to the cardholders after debiting the account of the customer, releasing less than what the cardholder requested and debiting the customer for the full amount (partial dispense), outright denial of service even at pressing times, outright fraud using the ATM, incessant Cash jam, frustrated customers from the listed issues, retraction of cash etc.
Beyond all the issues listed, we want to talk about the RETRACTION of cash by the ATM after the customer has failed to pick up the cash after the set period. This is a functionality that was build into the ATM by the developers to help the cardholder in situations he/she could not pick up the cash after the set period such that the ATM sucks back the cash and logs it in the journal which will be used by the bank or issuer to reverse the fund back to the customer’s account. This functionality operates almost the way in all the brand of ATMs in the Nigeria as at today.
It is common knowledge that while the ATM is dispensing Cash to the cardholder, it has the capability of counting and giving the cash analysis on the ATM journal for the purpose of dispute resolution and cash reconciliation. It is worthy of note too, that when the ATM is retracting cash, it has no such capability of counting and logging in the cash analysis of the amount sucked back, even when it bundle rejects or retracts the story is the same. The only information given on the journal as at today is that the cash was retracted.
In the light of the above, it is very possible for a fraudulent Cardholder, to request for N20,000 and when the machine presents the N20,000, he/she pick N10,000 (or any other amount but not the full amount) carefully and allow the machine to retract the balance after the set period. The same customer can log the complaint for the total reimbursement of the N20,000 which we know most Nigerian banks will pay hinging their approval on the journal position which will simply read ‘cash retracted’. Even when the bank does not want to pay, on the face of it, the customer’s position appears very superior and he/she can win it if he/she takes up to any regulator for adjudication.
Even when the bank or deployers reconciles the ATM cash (say on daily basis), the difference will be thrown out but how can the bank or deployer pin it down to the customer in question considering the traffic that hits the ATM in a day and the number of genuine reversals that would have taken place in the same ATM. Compounding the issues is also the fact that both the retracted and rejected cash are dropped in the same cassette even though there is a separation in the cassette.
We feel strongly that this is a major concern the ATM developers must look into considering the Nigeria business environment. We can now appreciate why some banks in Nigeria decided to disable the retract option of their ATMs to run away from the associated risk of this functionality.
OUR RECOMMENDATION:
The ATM developers should build the ATM in such a manner that it should have the capability of counting and logging in the cash analysis on the journal the way it does when it is dispensing cash.
Friday, June 11, 2010
ASSOCIATED RISK WITH E-BANKING IN NIGERIA AND SWITCHING OF TRANSACTION FOR BANKS
· LIQUIDITY RISK: This risk arises when the acquiring bank does not have enough funds to pay the beneficiaries even when their account has been credited with expected value. The issuing bank will only credit the acquiring bank after the settlement and that is the time when the fund will be available to acquiring bank. The settlement cycle in Nigeria puts the acquiring bank at risk whether it is T+1 or T+2 (transaction day + additional one day or two days as the case may be).
· DEFAULT RISK: This risk arises when the issuing bank is unable to meet her obligation (out of clearing) and the acquiring banks have given values to the beneficiaries.
· INTEREST RISK: The acquiring banks suffer interest risk as a result of the time lag between payment date and settlement date. This becomes more burdensome on the acquiring banks on holidays and the weekends.
· TRANSACTION/SWITCH RISK: Host to Host switching which allows transaction to impart on the Core banking Software (CBS) directly without passing through the bank FEP. This circumvention of the FEP creates transaction risk. This is important considering the fact that there is no clear separation between naira account and foreign currency accounts on these platforms.
· LEGAL RISK: There is no legal frame work in place to deal with issues arising from e-payment especially in time of dispute or conflict between the stakeholders. The E-banking guideline of CBN does not in any way address any of the risk issues associated with e-banking in Nigeria to the extent that it can tenable in court.
· IN HOUSE ABUSE: There is also possibility that the internal staff of the body corporate and related agencies benefiting from these e-banking operations initiating unauthorized transactions which will expose all the stakeholders considering the volume that will be involved.
SUGGESTED MITIGANTS:
· All participating banks to pledge a Treasury bill to provide cover for all Switched transaction under the e-payment scheme.
· The Value date for transactions should be the same with settlement date to ensure that the acquiring bank does not give value first before settlement. Batch Cut-off must be agreed by all stakeholders to ensure that the transactions date and settlement date are the same.
· The body corporate and related agencies benefiting from e-banking should be made to provide an indemnity/guarantee for transactions being initiated by authorized staff.
· The body corporate and related agencies should provide a notification to their Bankers before initiating transactions so that the banks Treasury Department will make provision for the settlement.
· All the banks agreeing that settlement should be through RTGS as against the NIBBS currently used now. Where NIBBS will be used then, the processing of the transactions should be such that the acquiring banks get value first before the customers.
· All interested Switching companies must have an FEP in place to avoid any form of HOST-to HOST switching. This will ensure that the banks filter the transactions properly before it hits the Core Banking Software (CBS).
· CBN putting up the legal frame work to drive e-Banking in Nigeria.
· LIQUIDITY RISK: This risk arises when the acquiring bank does not have enough funds to pay the beneficiaries even when their account has been credited with expected value. The issuing bank will only credit the acquiring bank after the settlement and that is the time when the fund will be available to acquiring bank. The settlement cycle in Nigeria puts the acquiring bank at risk whether it is T+1 or T+2 (transaction day + additional one day or two days as the case may be).
· DEFAULT RISK: This risk arises when the issuing bank is unable to meet her obligation (out of clearing) and the acquiring banks have given values to the beneficiaries.
· INTEREST RISK: The acquiring banks suffer interest risk as a result of the time lag between payment date and settlement date. This becomes more burdensome on the acquiring banks on holidays and the weekends.
· TRANSACTION/SWITCH RISK: Host to Host switching which allows transaction to impart on the Core banking Software (CBS) directly without passing through the bank FEP. This circumvention of the FEP creates transaction risk. This is important considering the fact that there is no clear separation between naira account and foreign currency accounts on these platforms.
· LEGAL RISK: There is no legal frame work in place to deal with issues arising from e-payment especially in time of dispute or conflict between the stakeholders. The E-banking guideline of CBN does not in any way address any of the risk issues associated with e-banking in Nigeria to the extent that it can tenable in court.
· IN HOUSE ABUSE: There is also possibility that the internal staff of the body corporate and related agencies benefiting from these e-banking operations initiating unauthorized transactions which will expose all the stakeholders considering the volume that will be involved.
SUGGESTED MITIGANTS:
· All participating banks to pledge a Treasury bill to provide cover for all Switched transaction under the e-payment scheme.
· The Value date for transactions should be the same with settlement date to ensure that the acquiring bank does not give value first before settlement. Batch Cut-off must be agreed by all stakeholders to ensure that the transactions date and settlement date are the same.
· The body corporate and related agencies benefiting from e-banking should be made to provide an indemnity/guarantee for transactions being initiated by authorized staff.
· The body corporate and related agencies should provide a notification to their Bankers before initiating transactions so that the banks Treasury Department will make provision for the settlement.
· All the banks agreeing that settlement should be through RTGS as against the NIBBS currently used now. Where NIBBS will be used then, the processing of the transactions should be such that the acquiring banks get value first before the customers.
· All interested Switching companies must have an FEP in place to avoid any form of HOST-to HOST switching. This will ensure that the banks filter the transactions properly before it hits the Core Banking Software (CBS).
· CBN putting up the legal frame work to drive e-Banking in Nigeria.
Subscribe to:
Posts (Atom)