Bharat Panchal is working as a Chief Risk Officer for India, Middle East & Africa for FIS, a Fortune 500 and global fintech leader.
He is responsible for creating risk culture at FIS and its ecosystem by way of designing, implementing and monitoring risk controls. Panchal holds an MBA degree in Information Systems and has around 26+ years of experience in risk management, mainly in the banking and telecommunication industry. He has been honoured with prestigious “Security Leader of the Year” Award in 2014 and 2017 by Data Security Council of India (DSCI) for his significant contribution to cybersecurity in the banking sector.
By Augustin Kurian, Senior Feature Writer, CISO MAG
You are responsible for creating a risk culture at FIS and its ecosystem. What are the biggest challenges you face in doing so, and how do you overcome these challenges? Apart from this, what is your charter at FIS and your plan for this year?
Today, ‘risk’ is not a static or dry subject. Technology has brought lots of dynamic changes in our life, so risk is also now dynamic in the ever-changing threat landscape. This is an amalgamation of many things. It should begin by changing the attitude of people. Because even if you have good technology and processes, you will need to nurture people to increase their risk-taking ability. When it comes to risk management, it gives confidence to people on how much more risk they can take. Because risk management is a function that is safeguarding them by early warning about such events – it is how efficiently you can manage it.
Risk is more about predictability. So, for any risk manager, the plan is always to identify more and more risk which may occur. So, if we have impacted in certain areas, which are probably a concern for risk, compliance and security and many other central functions. We continuously monitor such activities and events which may potentially turn into a risk later. We are cautious about that. We are aware of those risks and try to mitigate them as and when they occur. It is always a future-proof planning.
The big difference you need is to walk the talk — become a role model, and that is how you can bring a risk culture in the organization. So, in a nutshell, it is about influencing people that risk should be considered as an enabler.
Looking back on your career, especially your role as Chief of Risk Management for National Payments Corporation of India (NPCI) – what were your biggest achievements? What were some of the innovations on the security side that were introduced during your tenure at NPCI?
I think this was the best era that India has ever witnessed with the digital wave – be it for the financial sector, be it for banking, be it even for a common man. India, at large, was introduced with the DBT (Direct Benefit Transfer) in banking in the last ten years. Earlier, the bank branch was the only option for any banking transactional activities. Unless you physically visited the bank, nothing was possible. Now, everything has moved into the digital space. It has spread across the banks and now almost every banking institution in the country is implementing mobile-based transaction, web-based transaction or UPI.
I was lucky to be part of this first-ever digital evolution in India’s banking sector. What we did at NPCI is what every Indian is using today — be it mobile banking, IMPS, UPI, RuPay, NETC, BBPS or AEPS, the most efficiently used product by the government today for DBT (Direct Benefit Transfer). I think, for me, it was a worthy field on which I have roped. In addition to the implementation of robust security controls within NPCI’s own infrastructure, whatever risk framework or controls I have created for the entire ecosystem have become staple today. Some of them are like real-time fraud monitoring, implementation of a network compliance program for over 2000 banks by a single network, member onboarding program, card vendor security program, very unique settlement risk management etc.
The implementation of common adequate control across banks was really a big challenge because India is a country with diversity in terms of digital banking — public sector, private sector banks, cooperative banks, and very small community banks. So, every bank had a different way of dealing with security. Hence, keeping every bank connected with NPCI’s central platform in a controlled environment, with millions of transactions occurring every day while providing safety and security in each transaction were few of our key achievements.
More businesses are embracing digital and outsourcing pieces of IT functionality to third parties. Third-party vendors in-turn outsource to sub-contractors. That increases the risk quotient and broadens the attack surface for the organization. What should organizations be doing to mitigate these new risks?
Banks are becoming technology companies today due to the fact of increased dependency on technology. Yet their biggest functionality remain is banking. Nobody else understands about credit risk, market risk and liquidity risk better than banks do. But when it comes to technology risks, banks or the financial institutions are not always capable to manage them in an efficient way.
And this is the point when there is more reliance on outsourcing. Fintech approach for the IT infrastructure has helped increase the digital footprint of banks to meet the demand from customers for seamless availability 24/7. Earlier banks used to stop activities at 4 pm. Now it is round the clock as it is outsourced to Fintech companies who are running the show. Fintechs need not know banking, all they need to know is how to run the technology for banking. So, that is a good model which has emerged.
Selection of IT partners for outsourcing is a very important aspect and risk parameters for outsourcing decision-making must include safety, security and availability as a core risk requirement and that is where FIS comes in. We provide safety, security, availability, which are the prominent requirement for the bank, from the outsourcing perspective, which provides so much efficiency. Today, we are present in 132 countries because of this reason. This model is working successfully for a large sector of banks in the US, India, Europe or in Latin America.
But when it comes to outsourcing, one needs to understand very clearly what to outsource and what not to outsource. Regulatory compliance has become stricter and demands lots of checks and balances on the risk appetite of banks and eventually, the banks are responsible to comply. Hence, banks must know that what they are outsourcing in view of the business compliance requirements.
We see a lot of fraud happening in India and people are now hesitant to use mobile wallet apps. There are reported cases where people have lost their life savings through wallet fraud. Do you think it is a weakness of the technology and poor security controls or is it just a lack of awareness and alertness?
Well, frauds can happen because of two reasons. One, there is a technical flaw, which the customer is not aware of, but a fraudster or hacker exploits it and uses it to commit frauds. Second, the customers knowingly or unknowingly give away credentials to fraudsters which are used later to commit fraudulent activities.
When a customer goes to an ATM and his card is skimmed, he will never come to know of it. He has just done the transaction as he has been doing. Later, his card gets used fraudulently. So, here the customer is not involved. But that’s not the case in all type of channels. Let’s take an example of UPI. In UPI or any mobile wallet based on UPI, there are three layers of security, which cannot be compromised technically.
All frauds happening today on UPI are not because of a technical flaw but because of the customers’ unawareness. Unless a customer shares some information to a fraudster, one cannot just compromise an account. It is just impossible. With my experience after investigating so many frauds in my previous role, I have concluded that no UPI frauds are happening today without the customers’ involvement. In my view, 80% of fraud in India, especially in this segment of mobile and UPI happen out of greed. Customers often get calls like – you have got a bonus; you have got PF (Provident Fund); you have got some LIC policy which you had started two years ago; or you have got some reward. So, you know, all this is out of greed and people are giving information to fraudsters.
20% of frauds are happening because of fear like – your account is going to be blocked or account will be deactivated unless some amount is paid. All this is because of the fear that is being created. Eventually, it is social engineering that is used successfully by fraudsters and customers are falling prey to it. When the customer shares all the credentials, shared OTP, received fraud SMS, clicked a link somewhere which they received on WhatsApp or email or SMS which have been redirected to a Google form which asks the customers to fill in details such as – name, mobile number, card number, expiry date, CVV, OTP, everything. If the customers fill up this form, no technology can safeguard them. However, I am not saying that technology is 100% fool proof. It could be possible that some or the other flaw may be detected. But the current platform is much secure compared to any other products.
What are the initiatives taken by the regulator and the Indian authorities to address wallet fraud?
There is continuous improvement happening in all aspects. RBI has now formed a fraud data repository in which banks need to compulsorily report frauds, which can be used for analytics purpose and some action can be taken to overcome them. Banks are now investing in resources for the real-time monitoring of fraud. We have a solution for the real-time fraud monitoring – Memento – which many banks have implemented or are in the process to implement in India. This can successfully predict the probability of frauds before the accounts are debited. Banks are investing in these kinds of innovative products. We are also helping our customers, those who are availing services from FIS, to invest not only in technology but also in people and services. So, together we can provide them with some experts and technology to solve this fraud mania. A lot of innovation is happening by banks, by regulators and by leaders like us in terms of fraud prevention.
With the current WFH situation and moratorium announcement by the RBI, there have been reports on the surge in attacks on several fronts. What are the key things to keep in mind to mitigate frauds?
I think there are no credible data available, as of now, which can confirm that there is a significant increase in the number of attacks. But, from the informal sources and going by the trend that I have been following, there is an increase in the number of cyberattacks. But eventually what will happen is that they will come in light only when people come back to the office, brainstorm, analyse the data and compare it with pre and post-Corona situation.
Only then we will have the real statistics about the increase. There are two parts to it. One, for sure, is that while we all know maximum people are working from home, it is too difficult to replicate the same controlled environment of working from the office. So, there is a possibility where some or the other weak control may be exploited by the fraudsters, resulting in damage. Fortunately, no such events have been reported so far. But there could be a remote possibility because the level of control varies from work from home than in the organization. Probably the critical infrastructure and the big organizations are having adequate controls, but they may want to enhance the controls than what it is right now.
The second is on the consumer side. There are many frauds reported especially with the announcement of the moratorium of loans. And it is a universal fact that fraudsters are always much ahead of us. The day moratorium was announced, people started selling false products, asking people for their card details, account details, OTP and everything. There is greed, as I mentioned earlier. Customers give everything without knowing that there is no need to give username and password of net banking accounts to avail moratorium benefits. There are multiple cases of this new modus operandi in this moratorium and fraudsters have duped people with the false information that RBI has announced three months but they can extend the time up to another three months.
Customers are asked to pay some amount which the fraudsters get. Again, it is not an account taking over. But you know if I am paying, let’s say INR 2 lakh a month (approximately US$2,633.44), and INR 6 lakh for three months (approximately US$7,900.64), instead of that I am going to save INR 12 lakh for six months (approximately US$15,801.28), I might not mind giving INR 10000 (approximately US$131.683) to a guy who is offering me a six months ease of payment.
People have paid money to fraudsters in such cases where they get an extension in the moratorium for six months. Several such things are happening and unfortunately, people are falling into the trap of fraudsters. But again, my take on this is that greed and fear are the biggest reasons. Customers need to act wisely. There is no bank anywhere in the world that will ask for username and password ever, for any reason whatsoever. This message must go to the customer and that is how one can prevent frauds.
How will the world be after this COVID-19 phase? What do you expect to be different in a post-lockdown world?
I think the service culture must change significantly post the COVID-19 situation, because the way we used to analyse risk in terms of various scenarios and various probabilities, has gone for a toss completely.
Because, for example, we used to have business continuity from city to city and country to country. But nobody ever thought that the whole world will be shut for so many days. So that has changed completely. We never envisaged that not more than 1 or 2% people will work from home if there is a demand and remaining will be available. The situation has completely reversed. Only 1 or 2% of the people are working in the office and 98% are working from home. This invites many new risks. And therefore, these were never thought of.
From a credit perspective, whatever business proposition we did about receivables has gone for a toss, which has impacted other liquidity issues. Because at no point of time did anyone envisage a lockdown for three or four months down the line. I believe it is the time where we, the risk professionals, must think for complete different risk scenarios in the future because of newer risks which were never ever thought of, have emerged. A newer risk covering product may come from the insurance side with new risk modelling or risk analytics models for banking may completely change for the aforementioned scenarios.
Newer services and newer methods will be identified because the world has changed significantly right now and that will impact the ability of risk managers to see things differently and control those in the time ahead. So that is something which is very, very important from the risk side.
Augustin Kurian is a Senior Feature Writer and part of the editorial team at CISO MAG. He writes news features on cybersecurity trends.