The economic loss caused internationally by Computer Related Crime is estimated to run into large sums. Although this is not the scenario in India at present, this is potentially a high risk area which we have to address with care and in a timely manner. The vulnerability of computer systems which support critical applications, whether in the area of defence or finance, makes it imperative that we acquaint ourselves with the means to prevent and combat this menace. Since banks would be one of the major targets of computer crime, it is necessary for us to have an idea of not only of the level of computerisation in the banking industry in India but also of the mechanisms that have been set in place to address the problems that would endanger the systems.

One of the characteristic features of computer crime is its transnational character. Computer crimes often extend across national borders thanks to the technological growth in the industry that has made geographical borders insignificant. Remote access facilities have necessitated the harmonization of domestic laws and regulations in tandem with global prosecution needs. However, the precise definition of computer crime itself may vary from country to country.

Broadly, computer crimes are those that are committed either on a computer system or with the aid of such a system. A distinction is sometimes made between 'computer fraud', where the fraud involves the manipulation of computers, and 'computer crime' where a computer is used to commit a fraud.

However, it is important not to lose sight of types of crimes that are often committed. The United Nations Manual on the Prevention and Control of Computer Related Crime classifies such crimes into five categories.

The first and most important type of this is the committing of a fraud by manipulation of the input, output, or throughput of a computer based system. This is of especial interest to the RBI which has been entrusted with the task of supervision of banks and financial institutions.

Input manipulation is the most common type and results in the changing of input data such as deposit amounts in ledgers, limits in accounts, or face values of cheques. Output manipulation is achieved by affecting the output of the system such as the one entailing the use of stolen or falsified cards in ATM machines.

The most well known throughput manipulation technique involves the process of rounding off of the sums being credited to different accounts and siphoning of the rounded off digits to another account. No system is foolproof and fraudulent transfers have been reported in even highly automated and secure fund transfer systems such as the CHIPS of USA and CHAPS of UK.

Among the other types of computer crimes, the major ones are:

• computer forgery, which involves changing images or data stored in computers,

• deliberate damage caused to computer data or programs through virus programs or logic bombs,

• unauthorized access to computers by 'hacking' into systems or stealing passwords, and,

• unauthorized reproduction of computer programs or software piracy.

The characteristics of computer crime are different from that of conventional crime in that it is relatively easy to commit, difficult to detect and even harder to prove. It is a 'low risk, high reward' venture for the criminal, who, with basic skills and persistence, can easily move large sums of money across countries or enter and destroy valuable data and cause very high damage to the affected organisations.

Computer crime can often turn out to be a 'dark' crime because of the lack of information that law enforcers have on its incidence and spread. This is partly due to the fact that detection of such crime is often difficult and requires a high level of skills, and partly due to the fact that organisations often do not report these crimes for fear of adverse publicity on their systems and controls. One estimate made in 1992 suggested that only 5 per cent of the losses caused by computer crimes were actually reported. This is a matter of great concern for all of us because this would imply that the magnitude of the problem could well turn out to be far greater than what is widely known to be the factual position and therefore requires greater resources for both detection and prevention than the existing available levels. At the same time, it is necessary not to create a scare about its extent in the absence of hard and verifiable evidence.

The threat to safe computer operations arises not only from the failure of technology to keep up with the large volume of transactions or with the failure of associated infrastructure but also come from criminal elements who manipulate the systems either for personal profit or towards destructive ends.

Computer crime is difficult to detect when it is committed by insiders, who have a good understanding of the systems and controls and are thus able to exploit the loopholes without leaving trace. Computer crime, however, is not because of illegal work of insiders alone, it has often been the handiwork of a wider spectrum of societies. School students have been known to have broken into high security systems just for pleasure. Terrorist groups and organised crime gangs have been known to attempt to sabotage critical systems to cripple economies or target large financial institutions to fund their activities. In 1993, a systems analyst in a leading UK financial institution was convicted of attempting to transfer 1.6 million pounds to criminally owned accounts abroad.

Disgruntled employees target company systems to take revenge on their employers while business rivals try to access systems to take advantage of competitors' data.

This diversity, along with the anonymity of the perpetrator who can commit such crimes from remote locations, makes the task of having profiles of criminals difficult and poses a challenge for forensic scientists and criminal investigators.

In this context, I would like to recall an incident reported by a multinational bank a couple of years back. In the reported instance, an IT expert could penetrate the multilayer password system governing the fund transfer facility of the bank, which was allowed to be self operated by its corporate customers. He could successfully effect wire transfer of millions of dollars from a corporate account to his own / wife's account across continent to a destination in Europe. Though the corporate treasury manager of the customer was watching the fund transfer stolen and shifted before his very eyes, he was helpless in the context of such operation happening in few seconds. While the cyber reach was possible in seconds, the efforts of law enforcement took time to cross the continental legal and criminal enactment barriers to overcome before they could ultimately nab the above criminal. It is good gesture on the part of the bank to come forward to share the methodology of the above fraud with wider public through a business journal.

The above brings me to deal and stress on the aspects of legislative changes required in countries' legal frame work. I understand that one of the purposes behind organising the Seminar is to evolve and introduce relevant criminal laws covering various aspects of evidentiary and penal procedures/ practices to tackle such modern crimes involving sophisticated technologies.

With computer crime detection being a difficult task, bringing the criminals to book becomes a formidable challenge since the laws in many countries have not kept pace with technology. Laws were originally designed to protect tangible assets and may not be sufficient to guarantee the protection of electronic bits of data. It is often difficult to attribute guilt using the existing statutes since the act of trespassing into a system and tampering with virtual data may not necessarily be specifically provided for in law. However, this point is being increasingly recognised as an area of concern and more and more countries are therefore enacting specific and comprehensive legislation to cover the acts of computer criminals.

Model acts passed by nations highly dependent on technology tend to provide for enhanced penalties for unlawful access to "protected computers" such as those involved in national security, banking and finance, emergency services and public utilities. Such laws also provide for penalties for unlawful access to any system, unlawful modification of computer programs even through viruses and even to lawful abuse or misuse of computers.

The Reserve Bank has for its part, made several initiatives in this regard. The framing of the model Electronic Funds Transfer (EFT) Act and rules, suggesting amendments to the various acts such as the Bankers' Book Evidence Act, the Negotiable Instruments Act, the Banking Regulation Act and the RBI Act - is in an advanced stage. The Reserve Bank is also associated with the efforts of the Ministries of Finance, Commerce and Law in the enactment of laws such as the Information Technology Act and the Cyber Laws.

The imperative to enhance the levels of computerisation in the banking industry has been strengthened by the Government's IT vision which envisages a revolution in computer penetration by the year 2010 and also by the directive recently issued by the Central Vigilance Commissioner to banks to computerise 70 per cent of banking business by January 2001. These initiatives are important since many of the deficiencies of today's operations can be traced to the outdated manual systems in place. The CVC has also desired that the listed companies should compulsorily offer the Electronic Clearing Services to their customers for payment of dividend and interest warrants. This would help avoid the risks in the existing payment modes and reduce to a great extent the incidence of non-receipt of paper-based dividend and interest warrants despatched by post and their fraudulent payment / encashment.

In future, there would be increasing focus on dematerialisation of shares and securities which would result in two advantages: first, the prevention of frauds and second, the facilitation of transactions of Government securities in an 'On-line Real Time Gross Settlement' basis

All organisations which are moving towards a high level of computerisation should have in place a security policy that offers a shared vision of how controls in workplaces should be implemented with the objective of protecting location, information and eventually, the economic value of the organisation. This would need to be supplemented by education and training in these areas and reinforced by the actions and concerns of the top management so that a culture of security can be created. These controls have to be strengthened by surveillance, regular monitoring and auditing to detect unusual usage patterns and deficiencies.

These concerns have been addressed in a focussed manner at the Reserve Bank of India, and the broad approach in this regard is, I venture to place before, worthy of attention. In the first place, the most important point of emphasis is on prevention of crime. In order to prevent computer frauds and crimes, specific computer procedures have been laid down for each activity area involving computers. These procedures detail specific requirements for

• formal controls governing physical access to computer areas in addition to physical access to computer operation on the basis of the use of passwords, valid user identification etc., and,

• technical controls for a number of operations including standardised and secure message formats, correct authentication, personal identification numbers, digital signatures, encryption and decryption of data, firewalls, and backup that would be tamper proof.

The next imperative is to conduct computer security audit. This is an activity that is gaining in importance of late and is perhaps one of the best tools available for combating computer crime. Audit of computer security - especially by professional organisations - is a vital requisite to ensure that complacency within the organisation does not result.

The broad approach outlined here cannot succeed if there is dearth of skilled personnel. Work is, therefore, already on to groom a force of highly motivated and technically sound group of people at banks who would look after all the requirements of computerisation and also ensure that computer frauds do not occur. It is necessary that the work and operations of the group of technologically expert persons is monitored regularly by managements to ensure that crimes are not perpetuated from inside. This is a challenge since over 2 lakh personnel had also received training in the handling and concepts of computer systems in the PSBs.

It is also necessary to impart sufficient skills to our bank examiners to be able to examine records effectively in computerised operating environment and also to be able to put together a picture of the operations so that they could ensure that they have access to all transactions being put through by banks. Accordingly, under a Technical Assistance project sponsored by the UK Government, the services of international consultants were utilised to impart skills to inspecting officers of the Reserve Bank. A detailed manual was also drawn up for their use.

Simultaneously, as part of the aforesaid project, guidelines were issued to the banks on the maintenance of minimum records in computerised environment so that any subsequent investigation would not be hampered by lack of understanding or lack of access to computer data. A circular on the Risks and Controls in Computers and Telecommunications was issued by the Reserve Bank to banks to help them in identifying the key risks arising out of continually growing use of computers and suggesting controls to mitigate consequential risks

Our analysis of the modus operandi revealed that frauds so far committed has not revealed any extensive manipulation of the computer systems in the banks. However, cases have been reported where the fraud was facilitated by poor access controls. In a recently reported case, the perpetrator was able to change the borrower's limits stored in the computer by borrowing the password of the authorized personnel. This suggests that the password cannot just be treated as a friendly word. This aspect in the Indian ethos, needs to be closely looked into and the system of password determination has to be fool-proof.

The increasing dependence of banks on computer technology and the concerns arising therefrom are receiving attention from banking regulators the world over. The Basle Committee of Banking Supervisors has addressed some of the operational risks arising out of security breach of banks' computer systems and misuse of computer products in its document " Risk Management for Electronic Banking and Electronic Money Activities" (March 1998).

Having adopted computerisation at a relatively late stage of our banking development, we have the advantage of learning from the experiences of the international community and set in place corrective systems and controls in advance. In the area of emerging products, our surveillance has to be particularly strong. This is especially so in retail payment modes where the actual customers could suffer the most on account of weak security features and counterfeiting or data stealing. This is also an area where, besides supervision, regulation has to be effective and legislative sanctions have to be strongly supportive.