The ongoing controversy involving 19 banks, 3.2 million debit cards and over 90 ATMs may have been triggered by lax compliance by vendors and banks, who outsource key ATM functions, according to sources in the banking industry.
Last week some debit cards of leading banks such as SBI, ICICI Bank, HDFC Bank, Axis Bank and Yes Bank, used at regular ATMs and at maintained by third-party agencies, had been involved in suspicious transactions over a three months, with about ₹1.03 crore ‘disappearing’.
The amount was relatively small, but the breach has come at a time when the Indian banking system is opening up with a new category of payments banks and with the entry of private firms.
Among the various factors being investigated, outsourcing of crucial ATM functions to third party vendors is being debated as critical.
“These vendors often break or are lax in their policies and when they have easy access to the card and personal details of a bank customer, it is a platform for leakages,” claimed Vishwas Utagi, vice-president of the All India Bank Employees’ Association. “In order to maintain their profitability and reduce cost , private banks and some public sector banks nowadays pass on crucial work such as card service and maintenance to third parties.”
RBI’s guidelines are also not specific. In 2012, the finance ministry stressed on the operational expense model for ATM expansion rather than the usual capital expenditure model, to reduce costs. Under the opex model, third parties install and manage ATMs and get paid for each transaction. In the capex model, the bank manages everything.
Debit and credit card services and maintenance are not specifically covered in the present RBI guidelines on outsourcing.
Some ATMs of Yes Bank had been outsourced to Hitachi Payment Services, a third party technology firm. Hitachi has said no breach has occurred, but the matter is still under investigation.
All the banks mentioned so far have said that the breach had occurred when their customers used ATMs of other banks, virtually questioning the security measures adopted by their peers while defending themselves.
On October 22, NPCI, (National Payments Corp of India), an umbrella organisation for all retail payments systems, tried to play down the extent of damage. “Only 641 bank customers have complained about fraudulent activity. The figure of 3.2 million cards is a proactively identified base of customers who have transacted in the set of suspected ATMs in the recent past. This does not mean that all these cards have been used for any fraudulent activity.”
The clarification was given to assuage concerns. According to RBI, in July alone about 697 million debit cards issued by 56 banks did transactions worth Rs 2.19 lakh crore through ATMs and about Rs 17,100 crore was through through point-of-sale (POS) terminals at shops and other merchants.
“Outsourcing partners need a lot more vigilance and security control to make sure they don’t endanger the delivery and system risk,” said Rana Kapoor, MD and CEO of Yes Bank. “There is fair amount of policing as far as outsourcing is concerned and they could sometimes intensify into high operational risks as well.”