Operational risk case of online banking

In recent years, with the in-depth application of information technology in the financial field, online banking has developed rapidly, showing an accelerated trend, and its operational risk has also shown a new changing trend. The following is a case I compiled about the operational risk of online banking for your reference. Welcome to read!

Online banking operational risk case 1

I. Case flow

One day, a 50-year-old man, accompanied by a 30-year-old woman, went to a branch to register an electronic bank. The identity card presented by the man is true and valid, and the bank card he holds is also a normal card, which is in line with e-banking? Do it yourself? Requirements. But when the careful teller communicated with him, he found that this man was dull, but the lady who came with him was very smart. When the teller communicated with the man further, the woman became more excited and put pressure on the teller with more intense words. The teller resisted the pressure, and after some patient and meticulous understanding, he finally made it clear that men applied for online banking, not for their own use, but for women, and they were not very familiar with each other. According to the recent case report, criminals use others to register online banking to commit their own economic crimes, and tellers should be alert to the hidden risks in this business. In order to protect the interests of customers and the reputation of the bank, the teller refused the man's application for online banking, and told the lady that if she needed to use online banking, she must go to any branch of the bank with real and valid documents and apply for online banking registration at any time.

Second, the case analysis

Judging from the whole case flow, this is a typical case of using other people's legal and valid certificates to handle online banking for their own use. If the teller does not have a high sense of responsibility and keen vigilance, and simply follows the system and process, although it is legal and compliant, it is easy to cause risks. Once the risk becomes a reality, it will not only bring economic losses to customers, but also have a negative impact on banks.

Third, the case enlightenment

What is the current implementation of e-banking registration in this bank? I'll do it. I'll sign it for me, okay In principle, in the actual operation process, bank tellers are more rigorous. However, whether it is for personal use or not, the monitoring of banks and all walks of life is still blank. Tellers can actively analyze and judge whether it is for personal use in the process of handling business, which virtually adds a firewall to the bank's e-banking. Through this case, we draw the following enlightenment:

(a) tellers should pay attention to sense motive when handling business. In the process of handling this kind of business, tellers should consciously observe whether the applicant's application for online banking registration is the embodiment of his will, combining with the cases he usually studies in case prevention; Whether there are other suspicious people around; Whether the applicant's expression is natural; Is it possible to be manipulated and manipulated by others?

(2) Communicate with customers more in the service. In the process of service, tellers can communicate with each other in good faith and intentionally, so that many problems that customers can't see gradually surface. A lot of authority is there? Confused? As duty-bound service providers, it is necessary for us to try our best to know the truth and convince the other party to get out of the confusion and realize? Sober? State, in order to save yourself!

(3) Do a good job in risk notification of online banking. When handling online banking for customers, we must do a patient and meticulous explanation, and clearly inform customers of the harm caused by lending their online banking to others and the legal responsibilities they must bear. At the same time, we should pay attention to notification skills. We can't let the rejected customers be dissatisfied with our bank because of risk prevention. We should not only let customers understand the key points, but also let them accept the reality that we can't easily handle online banking for them.

Case 2 of operational risk of online banking

In an online game, the user Mr. Xu saw someone shouting on the chat channel and selling game coins at a low price. Mr. Xu then contacted each other through the QQ number left by the other party. The other party invited Mr. Xu to a well-known online game trading platform? 5 173? Trade on the website and provide the product link of 5 173.

After Mr. Xu used the online banking of Agricultural Bank of China to pay for the purchase, the page showed that the transaction was unsuccessful. Mr. Xu asked the other party, and the other party provided Mr. Xu with one? 5 173 customer service QQ? No, please contact customer service and negotiate with Mr. Xu.

After Mr. Xu communicated with the customer service, the customer service asked Mr. Xu to provide information such as his name and ID number for verification. After Mr. Xu provided it truthfully, the customer service provided Mr. Xu with a refund link. But after Mr. Xu opened it, he entered an authorized payment interface.

Mr. Xu was puzzled by this page, and the customer service immediately offered to remotely assist Mr. Xu to complete the refund operation. Subsequently, Mr. Xu agreed that the other party could remotely operate his computer through QQ. After completing the authorization, Mr. Xu felt that the other party's operation was suspicious and immediately terminated the other party's remote operation.

However, when Mr. Xu checked his ABC account, he found an extra payment record of 5,900 yuan. Among them, 900 yuan, who paid in advance, actually bought a telephone recharge card, but the destination of the recharge card is unknown. The remaining 5,000 yuan was given to unknown so.

Case analysis of operational risk of online banking III

When the funds in a bank's personal account are transferred to a virtual card account bound by another bank's personal credit card through the bank's online banking system, the amount displayed in the virtual card account is twice as much as the amount actually transferred. After the 29-year-old boy discovered the loopholes in the banking system, he withdrew19.35 million yuan from a bank in this way and overdrawn 7.69 million yuan. 2065438+June 2006, the case was heard in the Municipal Intermediate People's Court, and the verdict will be pronounced at an alternative date.

1, case summary

20 14, Xiao Wei found that when the funds in one bank's personal account were transferred to the virtual card account bound by another bank's personal credit card through the bank online banking system, the amount displayed in the virtual card account actually doubled compared with the actual transfer amount.

At first, Xiao Wei thought it was just an accident, but later he tested it and found that it was indeed the banking system that had this loophole. After that, Xiao Wei used the savings card in his own name, four bank credit cards and three bank credit cards in his father's name to operate repeatedly, transferring the funds from the savings card account to the virtual card account bound by the personal credit card, and then transferring the funds from the virtual card account to the savings card account through the bound personal credit card, or transferring the funds from the virtual card account to other personal bank accounts under his control and then transferring them back to the savings card account, and repeated the operation. 1 1 day, there were 248 transactions in Xiao Wei, with inflated funds of 35.28 million yuan in the account.

Due to the delay in posting some inflated funds and the rectification of the bank monitoring system, as of the time of the incident, the actual inflated funds were more than 6,543,809,350 yuan. At the same time, Xiao Wei also overdrawn bank funds of 7.69 million yuan in the course of operation, with two actual funds reaching 27.04 million yuan.

The Hubei Branch of a bank that received the money found that a large amount of funds frequently entered and exited seven credit card accounts controlled by Xiao Wei, and the transferred funds were far more than the transferred funds, which did not conform to the rules for the use of credit cards, resulting in an overdraft, so it informed the issuing bank Jianghan Branch. The next day, Jianghan Sub-branch reported the case to the public security organ. After investigation, the public security organs arrested Xiao Wei in a hotel in Jiang 'an District at about 23: 00 on the same day.

After the incident, the public security organs traced and seized part of the funds transferred and used by Xiao Wei, and recovered the illicit money of 6.77 million yuan. The bank that obtained the funds repeatedly asked Xiao Wei to pay back the money through phone calls and visits. Xiao Wei returned 6.5438+0.02 million yuan, and there are still 6.5438+0.925 million yuan that cannot be repaid.

2. Commercial banks have insufficient prevention of information technology risks.

At present, with the rapid development of science and technology, there are more and more electronic products in banks, and the functions of online banking and mobile banking are constantly innovating, and the competition is becoming more and more fierce. However, the risks caused by various software vulnerabilities are being exposed at an accelerated rate. In this case, there were loopholes in the bank's online banking, which gave the defendant the opportunity to use the bank's funds and caused the bank to suffer losses. In this case, the risks faced by banks should be classified as information technology risks. Information technology risks refer to operational, legal and reputational risks caused by technical and management defects in the planning, research and development, construction, operation, maintenance, monitoring and online of information systems.

The causes of information technology risks mainly include: (1) the disaster recovery mechanism of the system is not perfect, and the emergency plan is not perfect. (B) The outsourcing mechanism is adopted in the information system construction of commercial banks, and the potential risks are more prominent. (C) More and more application information systems have not been effectively integrated, and system security risks have increased. (D) Weak infrastructure of science and technology software and hardware. (E) The information system has insufficient operational support capacity, and there is a risk that data backup will be destroyed. (6) Information system security risks. (7) The early warning and monitoring system needs to be improved. (VIII) Risk management of derivative products of scientific and technological information is not in place.

3. Risk Enlightenment

It is the key to guard against information system risks and establish information technology risk management and control system. Commercial banks should learn from the good practices of advanced financial institutions and international standards, strengthen information technology risk management and control from four aspects: organization, personnel, technology and process, study and establish information technology risk management and control departments, so as to prevent in advance, control in the process and check afterwards, and change passive information security work with technical prevention as the main task into active information technology risk management and control with prevention as the main task.

(1) Strengthen the organization and leadership of information technology risk management and control of commercial banks. Establish a system-wide top-down information technology risk management and control system, implement the responsibility of information technology risk management and control, coordinate internally and externally, handle the relationship between business development and information technology risk prevention, increase investment in information technology, and actively take measures to eliminate major hidden dangers of information technology risks. Attach great importance to the construction of scientific and technological team, build a stable, United and efficient scientific and technological team, strengthen the training of compound talents, organize targeted training of information technology talents, increase the introduction of talents, effectively integrate human resources, establish relevant incentive and reward and punishment mechanisms for information technology risk prevention, and form a joint force for information technology risk prevention and control, thus providing a strong human guarantee for commercial banks' business development and scientific and technological risk control.

(2) Strengthen risk prevention in key links of information technology. First, it is necessary to improve the operational support capability of information systems. Increase investment in scientific and technological software and hardware facilities to eliminate hidden dangers of single point of failure. Improve various management systems, formulate emergency plans and organize drills to improve the ability to resist risks and respond to emergencies. The second is to improve the safe operation system of information systems. Conduct a comprehensive safety assessment of the computer room, network equipment, host equipment, network and data access, and operational risks of scientific and technical personnel. Set up information technology risk management departments and posts, strictly separate posts such as development, operation and maintenance, equip key posts with AB angle, and improve relevant management systems. The third is to strengthen project outsourcing risk management. Comprehensively evaluate the scale, technical level, business support ability and confidentiality of the outsourcing company, and explicitly require the outsourcing company to provide the system core source code and related materials in the outsourcing contract. Improve the independent development ability of the core business system of scientific and technical personnel and the independent configuration ability of system security policy as soon as possible. The fourth is to strengthen the risk management and control of business systems. For the cases caused by the defects and deficiencies of IT system, we should sum up the lessons, make serious rectification, and ensure that personnel control, system control and system control are in place.

(3) Improve the disaster recovery mechanism to ensure the continuous operation of the business. After data concentration, commercial banks should still pay attention to ensuring the security of local data. For some transaction data with relatively high data requirements, dual-computer hardware backup or application backup should be adopted. Independent legal institutions should speed up the construction of disaster recovery centers in different places to ensure the safety and integrity of data; In terms of network disaster tolerance, there is no condition to enable the parallel mechanism of the main network and the auxiliary network for the time being, and we can choose to rent lines from different network providers at different outlets in the same area to alleviate the impact of sudden failures.

(4) Improve the integration of information systems and optimize various systems. With the increase of information systems, security risks will inevitably increase. Therefore, commercial banks should optimize and integrate all kinds of information systems that have been launched, ready to be launched and planned to be developed, and establish a unified information asset risk management framework on the basis of complete and centralized business data to adapt to changes in customer needs. It is necessary to vigorously integrate existing business processes, data information, data application and data control, merge information systems with duplicate functions as much as possible, reduce the number of internal and external connections, optimize interrelated information systems, and improve the safety factor of information systems.

(5) Strengthen the risk supervision of scientific and technological information and improve the risk management and control ability. First, the regulatory authorities should quickly explore the establishment of a standard system for risk supervision of information assets of commercial banks, focus on solving the risk assessment and pricing standards of information assets of commercial banks, and scientifically divide the risk levels and management requirements of information assets according to factors such as the nature of business systems, the value of intangible assets, the characteristics of network operation and the quality of operators. Second, establish a risk supervision system for commercial banks' information assets as soon as possible, and provide relevant guidance from the aspects of system development, use, maintenance and management, as well as the qualifications and qualities of network operators and IT companies, so as to ensure that the whole process from system development to use is legal and compliant. Third, it is necessary to further strengthen the on-site inspection of scientific and technological information risks. Grass-roots commercial banks have weak risk prevention ability and are prone to potential risks. The supervision department shall regularly check and evaluate the operation and risk degree of the scientific and technological information system of banking financial institutions, and urge the rectification in time when problems are found.