Page 16 - Risk Management Bulletin April -June 2021
P. 16

RMAI BULLETIN APRIL TO JUNE 2021


             this financial risk, take informed decisions and  CVV/CVC codes and in some cases also full name, e-
             generate profit from it. However, the nature of non-  mail phone number and mailing address for customers.
             financial risk makes it far more difficult for banks and  Each record retails for $9 making the data worth $4.2
             supervisors to tackle. Non-financial risk, whether  million. (Source: GROUP IB dated 5th February 2020).
             related to misconduct, non-compliance, IT,
             reputational, cybersecurity or operational challenges,  Such incidents can have a huge financial as well non-
             is not linked directly to financial decisions and has only  financial impact, so the banks needed to reassess a
             a downside.                                      gamut of the processes and the monitoring tools -
                                                              fraud monitoring system, alert generation, anti-
             In other words, unlike credit or market risk, here there  skimming portal, escalation of detection of skimming
             are only potential losses, which can be large. In  devices on ATM machines, External Loss Data Policy to
             addition, non-financial risk can only be reduced or  carry out rootcause analysis, Data Governance Policy
             mitigated, but not eliminated, and it is far more  for Protection of data and training and creating
             difficult to quantify than financial risks. The following  awareness among employees and so on.
             recent cases highlight the magnitude of the impact of
             NFR on profit.                                   The potential losses for the banks are only a matter
                                                              of conjecture. It is not easy to compile all the losses
             In October 2019, Joker’s Stash, a dark web destination  stemming from the wave of fines and lawsuits that
             which specializes in trading in payment card data,  may be in the aftermath. Apart from the direct
             placed data dump of 1.3 million credit and debit cards  financial consequences of unlimited size, there are
             to its inventory belonging to Indian banking customers.  other sources of concern, as these losses generally
             Based on this information in public domain, Reserve  produce second-round effects, mainly through
             Bank of India asked Indian Banks to probe alleged data  reputational damage that tends to affect the financial
             leak of 1.3 million credit/debit cards (Source: Livemint  sector as a whole. Customers, shareholders and public
             dated 31st October 2019). Banks were immediately  stakeholders can question the business models of the
             required to secure the customers' data by performing  banks.
             a preliminary analysis of the leaked card information
             online as per the RBI notice.                    We must acknowledge that non-financial risk presents
                                                              certain features that can exacerbate or compound the
             Further, banks were advised  to  take necessary  effect of a crisis. It is also very hard to estimate. It
             proactive measures to identify and guard against such  cannot be eliminated but at best, it may be mitigated.
             misuse of customer credentials. The regulatory
             guidelines required the banks to understand what  Risk Management Process (RMP) for
             went wrong, which control (s) broke down / were non-
             existent and which measures should have been taken.  Non-Financial Risk (NFR) :
             Immediate steps were taken to find out how many  Non-financial risk is tough to quantify as the impact is
             cards matched, to do re-carding or re-pinning of the  hidden and embedded and relates to operational
             matched cards and inform the customers in the matter.  aspects like efficiency. However, the organisation
             The size of such potential losses could be enormous.  needs to go through the following process:

             The banks were in the process of doing a root cause  Identify: For example, banks provide a payment
             analysis and strengthening the controls, when, again  service through debit cards, which are linked to the
             in February 2020, Singapore based cyber security firm  bank systems. For some reason if the transaction fails,
             GROUP IB reported a new batch of stolen data, named  maybe because of the servers or some other issue, this
             “(CC) India – BIG-MIX” (as 98 % of the cards appeared  is a critical service for the person who is trying to make
             to be issued in India). The percentage of valid cards in  the transaction. The bank having huge credit reserves
             the dump was reported to be 80 to 85% available for  or liquidity will not solve the problem for the individual
             sale.                                            trying to make the transaction, Hence, for the bank to
                                                              provide a resilient service it has to identify all the
             The details included card numbers, expiration dates,  critical activities and the risks that may arise. It is very


                                                           14
   11   12   13   14   15   16   17   18   19   20   21