Advanced Search

Keynote Address by Mr Yandraduth Googoolye, First Deputy Governor, Bank of Mauritius, at the launch event of Visa Card Security Week 2011 on 11 October 2011

Ladies and Gentlemen

It is an honour for me to be invited to this audience this morning to share my views on the security and risk environment regarding the use of cards in Mauritius.

Electronic money is projected to take over from physical cash for a large part of small-value payments, and continues to evoke considerable interest both among the public and the various authorities concerned, including central banks. The electronic money developments raise policy issues for central banks as regards the possible implications for their revenues, implementation of monetary policy and payment system oversight role. Indeed, it is by virtue of this very last role - maintaining the clearing, payment and settlement system that we take an interest in cards, in the broader context of maintaining financial stability.

Mauritians increasingly use cards to make payments. In recent years plastic cards (credit, debit and other cards) have gained wide acceptance and their use has become popular in the country. The total number of cards issued by banks and outstanding increased from 700,000 as at end-June 2001 to 1.3 million as at end-June 2011. Likewise, the actual usage has registered increases both in terms of volume and value i.e. from 1.6 million transactions amounting to Rs 2.4 billion at end-June 2001 to 4.1 million transactions aggregating Rs 7.7 billion at end-June 2011. These figures are expected to increase even further with the initiative of some banks to provide prepaid cards to an even more sophisticated and demanding clientèle. In view of such a widespread use of cards, issues relating to the regulation of this payment mode as well as those relating to customer protection assume considerable importance. The functioning of the card payment system should not present any risks to the payment and settlement systems in particular and to the country’s financial system in general.

The use of cards is so entrenched in the habits of the population that a serious disruption that affects the entire card system, or large parts of the system, would have serious consequences for the ability of people to make payments. If card payments do not work, then the entire payment system will be disrupted. The Bank’s responsibility for a safe and efficient payment system therefore means that we also have an interest in ensuring that card payments work safely and efficiently.

The popularity of cards is that such a means of payment is perceived as being convenient. People who prefer cards attribute it to the fact that they do not like to walk around with cash. There is also a generational aspect to the choice of means of payment. An increasing number of young persons feel a greater sense of security when using cards than the older age groups and are more than willing to use their cards to make small payments.

It goes without saying that the use of cards exposes stakeholders to risks - but how do we manage these risks while respecting competition and innovation? This calls for collaboration of all those concerned. It is the combination of measures, together with the rigour with which they are implemented and administered, that will serve to reduce risks most effectively - there is no single security measure or set of measures that can be said to provide a guarantee of complete protection.

We, at the Bank of Mauritius, require banks to have robust internal control systems, with appropriate oversight by their board of directors, to ensure that their systems are not used by fraudsters for illicit purposes. Indeed, in today’s IT-enabled banking environment, it has to be recognised that fraud possibilities have assumed international dimensions. It is therefore not only essential to set up a safe platform, but also to ensure that the so-called “Safety” is continuously benchmarked against international standards.

With respect to cards, there are 3 issues relating to information security that assume immense importance, namely confidentiality, integrity and availability at all the relevant stages of entry, storage, and transaction. The threats which bother every one of us in this context are multifold, and range from password hacking, card copying/cloning to data and identity theft at various levels of transaction, information storage as well as transmission stage. Allow me to digress a bit here to underscore the importance of proper screening of staff at all levels, as frauds are very often perpetrated by employees themselves. Indeed, financial institutions are not only exposed to outside threats, but they are now faced with a new threat, inside violations. Today’s employees are able to easily export sensitive files and information via email or by copying data to portable media. It is imperative that financial institutions have control over their sensitive information, how it is used, and who obtains it. The real challenge in this environment goes beyond merely providing additional technology solutions and increasingly complex security layers.

Another trend that we have observed of late is the outsourcing of credit and other payment card services to specialist third parties. This is mainly done to benefit from the expertise of the third party which may not be available in-house and/or as cost-cutting measure. However, there is very often over-reliance and inadequate diligence on the service providers. Our licensees are required to strictly follow the risk management principles enunciated in the Guideline on Outsourcing for Financial Institutions issued by the Bank of Mauritius and address the risks inherent in outsourcing. Outsourcing of those activities would have to be approved by the board of directors of the financial institution in the first instance and subsequently by the Bank of Mauritius. In addition, the outsourcing of such services is contingent upon the third party service providers agreeing that their services are subject to regulation and examination by the Bank of Mauritius to the same extent as if such services were being performed in-house.

So much for the role of the Bank of Mauritius in ensuring that banks and other financial institutions have systems in place that deter card-related fraud. But the fight against fraud calls for the active involvement of other stakeholders. Customers, on their part, have to act in a responsible manner. Simple things like following the recommended fraud prevention advice - which is quick and simple to follow - can considerably reduce the chances of falling prey to fraudsters. It is however essential that card issuing banks and card associations regularly run awareness campaigns for the benefit of consumers.

An ancillary issue relates to customer grievances in respect of credit cards. In this context, I make an appeal to banks for greater transparency and disclosure, since there is often an asymmetry of information, both written and oral, between the card-issuing bank who has complete information and the card holders who very often do not have complete information on their rights. In particular, we have observed that card issuing banks provide enormous information to their customers but the language used is legal terminology which is not easily understandable to ordinary customers. In addition, the written information is often printed in very small print which hinders easy readability, and important information is buried with other information. There are no standards in this regard among the card issuing banks. I take this opportunity to encourage card issuing banks to adopt a more customer-friendly approach with clear terms and conditions for card issue and usage, in simple language comprehensible to a layman, prominently displayed, easily readable and, most importantly, the crucial items highlighted. The card issuing banks may continue to send the document containing the normal terms and conditions as is being done now.

It is widely recognised that traditional credit cards are most prone to frauds - the problem with the black magnetic stripe on the back of a credit card is that it’s about as secure as writing account information on a postcard: everything is in the clear and can be copied. Card fraud and the measures taken to prevent it, cost merchants, banks and consumers billions each year across the globe. In contrast, smart chip cards can’t be copied, which greatly reduces the potential for fraud. Smart cards with built-in chips are the equivalent of a safe – the information contained therein can only be unlocked with the right key, which means that the cards can not be replicated.

One of our banks introduced the smart cards a few years back. Let me take this opportunity to encourage other banks to follow suit. This will entail in some cases complete upgrading of ATM terminals to support chip-based ATM cards, but the long-run benefits of such an upgrade will accrue to all stakeholders.

We believe that a smoothly operating infrastructure can greatly enhance financial security. This concept includes the payment system, the technological infrastructure, as well as the regulatory and supervisory framework.

An important function of the Central Bank is to oversee the payments system as inability to make payments in an economy would have a far reaching and widespread bearing on society.

Technological infrastructure is perhaps the most important component to secure financial operations. Financial systems continuously need to adapt themselves to the rapidly increasing technological innovations. This includes new products, necessitating increased awareness by the users and supervisors of the risks and benefits inherent in them. On this front, the Bank of Mauritius took proactive steps way before the financial crisis in 2007 to re-structure the Payment Systems and market infrastructures area and to endow the country with a modern and innovative payment system. The world is rapidly moving towards a real time economy where all types of transactions are digital, automatically generated and completed in real time. Payment systems, being one of the most inter-related sectors of the modern economy, the call for innovation sounded, even more urgent for all its operators.

The new software for the Mauritius Automated Clearing and Settlement System (MACSS) was the step in this direction with which, we have been able to provide extended services in multi currency – a premiere in Africa.

In the course of this year the Bank of Mauritius came forward with a series of innovative projects – Bulk Clearing System, the Cheque Truncation and On-line Auctioning of bills – that will change the payments landscape of the country. Bulk clearing system is a new payment mechanism where low value inter bank payments are electronically cleared and settled in the MACSS. This system will cater for recurrent payments such as salary, direct debits etc. and will help banks better manage their liquidity requirements for the day. It will contribute towards lowering the cost of payments. Both systems went live on 6 September 2011.

Closely coupled payment and securities systems contribute towards maintaining the stability of the financial system. In order to provide strict delivery versus payment for Government securities, the Bank of Mauritius has already tested on a pilot basis, a system for on line auctioning of bills. The first phase of this system was rolled out on 7 October 2011.

Finally, I would like to thank the organiser, Visa, in bringing together the main players in the card business chain, the cooperation among which is vital for resolving the various security, risk and fraud issues facing the card payment systems.

I wish you plenty of success for the Visa Card Security Week 2011.