E-banking Guidelines to Minimize White-Collar Cybercrime

Cyberfraud, racketeering and money laundering are reaching sky-high levels. The International Monetary Fund has stated that the aggregate size of money laundering in the world could be somewhere between 2% and 5% of the world's gross domestic product. It is interesting to imagine how much higher these figures would be considering that 'white collar' criminals could take full advantage of the cloak of anonymity in cyberspace to create phantom transactions to move ill-gotten gains from their illegal origins.

Since the birth of internet banking services, the financial sector has become an obvious target for white-collar criminals. This is due to the ability to avoid currency reporting when structuring transactions, the effect of which allows the transfer of illegal funds to be virtually untraceable.

In response to this growing concern, at least six local banks are conducting (or are in the process of implementing) transactional web sites. Other banks are expected to follow suit. The Central of Bank of Malaysia has, therefore, recognized that the increase in using the Internet as a means of providing efficient financial services demands an effective regulatory framework to assist in minimizing undetectable and illegal transactions.

The Central Bank has taken an active role to help minimize, if not eradicate, cyberlaundering, fraud and racketeering in Malaysia by issuing a regulatory framework entitled 'Minimum Guidelines on the Provision of Internet Banking Services'.

The guidelines are intended to impose an obligation on financial institutions to manage and control their exposure to the various risks spawned by the Internet, such as:

• strategic risks (eg, arising from adverse business decisions);

• transaction risks (eg, arising from flawed system designs or poor monitoring of fraudulent acts);

• compliance risks (eg, arising from violations of law); and

• reputation risks (eg, due to badly managed systems).
  

The guidelines require financial institutions to work with and report to the Central Bank. Specific examples of the provisions contained in the guidelines include the following:

• Categorization of internet banking services in terms of informational, communicative and transactional web sites. Due to the low risks involved in operating an informational web site, financial institutions are merely required to notify the Central Bank prior to operation. Conversely, as there are higher risks in interactive and transactional sites, approval from the Central Bank is required prior to the launch of any communicative or transactional web site. In addition, such web sites must be linked to the Central Bank's web site to enable verification of transactions.

• Accountability of board of directors. The guidelines encourage good corporate governance in that the board of directors and senior management of financial institutions are expected to implement policies and procedures as well as a sound system of control to manage and contain internal and external risks.

  In this regard, risk management practices were highlighted as an indispensable process for financial institutions, to encourage the adoption of a risk management framework that is sufficiently comprehensive to manage known risks as well as possible future risks. The use of advanced technology and sophisticated risk planning and implementation processes, coupled with effective methods of measuring, monitoring and controlling risks, are essential factors to be considered, adopted and periodically reviewed by the board of directors of banks that provide internet banking facilities.

• Level of system of security. The guidelines stress the importance of data and network security. When a financial institution takes measures of protection they must be appropriate to the level of risk to which the institution is exposed. This may include the use of firewalls, encryption, penetration testing and intrusion detection.

• Compliance for outsourcing. The guidelines impose specific conditions to which financial institutions must adhere when outsourcing their internet banking systems, including notifying the Central Bank with details of outsourcing arrangements prior to entering into agreements with service providers. As a further measure of control, prior approval by the Central Bank is required for the use of non-resident outsourcing service providers.

Other provisions contained in the guidelines include issues relating to advertisements on web sites, linking arrangements, consumer education and staff training, and strategic alliances with partners in the provision of internet banking products.

Overall, the guidelines are minimal in nature and there is room for improvement. However, they are a suitable foundation in terms of accentuating the need for a strategic plan and policy to ensure information and transaction availability, integrity and confidentiality. Thus, the guidelines are a step in the right direction toward minimizing white-collar cyber crime.

For further information on this topic please contact Sharon Suyin Tan or Pooi Yuee Wong at Zaid Ibrahim & Co by telephone (+603 257 9999) or by fax (+603 254 4888) or by e-mail ([email protected] or [email protected]).