Information security of bank cashless payments. Part 1 - Economic Basics



    What is the study about


    Information security of banks is one of the most interesting tasks to ensure practical security. The large amounts of money that banks have, the widespread dissemination of online technologies and Internet payments make banks a welcome catch for the bad guys from the dark side. And if there are problems, then there must be solutions.

    The results of a study on the topic of ensuring information security of one of the most vulnerable places of the bank - the process of making cashless payments are presented to your attention.

    The study turned out to be quite extensive, so it will be published in parts. And we will start with the first part, which will tell about what cashless payments are from an economic point of view.

    Terms, definitions, assumptions and conventions
    The purpose of the study is to systematize knowledge, solutions and experience in ensuring the information security of bank cashless transfers.

    Sources of information:

    • open materials from the Bank of Russia website,
    • legal reference systems,
    • materials and publications in the media,
    • reports of companies specializing in security,
    • own experience and personal communication with colleagues.

    Assumptions:
    The model of organizational and technical interaction of credit organizations and the Bank of Russia adopted in the Moscow region is taken as the basis.

    When considering the economic fundamentals, issues related to the collection of commissions and accounting will be omitted.

    Terms:
    The study will use the terms and definitions in the sense in which they are used in the current legislation of the Russian Federation.

    Synonyms:
    Bank = credit institution.
    Non-cash payment = money transfer.
    Payments = Settlements.

    Cash settlements vs. cashless payments


    Historically, the first types of payments were cash payments. The buyer handed over the banknotes to the seller, and in return received the goods or service.


    Fig.1. Let us

    analyze the pros and cons of this form of payment from the point of view of the buyer and seller, as well as from the point of view of the state economy as a whole.
    Analysis of cash settlements from the point of view of the seller and the buyer
    prosMinuses
    Provides the buyer and seller maximum freedom and independence from third parties. The main thing is that banknotes are well protected from counterfeiting, and there should be a sufficient number of themSignificant inconvenience, and sometimes the impossibility of making purchases without personal contact of participants in the calculations. Ensuring the safety of cash storage.

    Analysis of cash payments from the point of view of the state
    prosMinuses
    Historically established form of settlement, to which the population is accustomed.With cash payments, the money "settles" at the sellers and ceases to "work" until the seller makes a purchase on them.
    The state bears infrastructure costs for the production of banknotes, their logistics and disposal.
    Cash payments are practically not controlled by the fiscal authorities (tax inspectorate) and create conditions for the development of the shadow economy and tax evasion.

    Thus, it is clear that cash payments to the state are an evil that it would gladly prohibit if it did not cause a sharp protest from the population. And since it is impossible to completely ban, then restrictive measures are applied.

    In Russia, in frequency, legislatively ( Civil Code, Article 861 , Bank of Russia Ordinance 3073-U dated 10/07/2013 ) it is established that only citizens and only for personal purposes can use cash without restrictions, the rest (FE, YL, .. .) the use of cash is strictly limited.

    Non-cash payments, unlike cash payments, imply the presence between the seller and the buyer of a third trusted party - an intermediary who, on behalf of the parties, performs settlements between them.

    Cryptocurrencies such as Bitcoin, Ethereum and others allow payments without intermediaries (not counting miners), but so far the status of these systems has not been legally defined, and their description is beyond the scope of this article. Here we will only consider “classic” cashless payments, where credit organizations (banks) act as the third trusted party.

    Bank accounts and cashless cash


    To make non-cash payments, money is used in non-cash form. Consider the mechanisms for converting money from cash to non-cash form and vice versa.

    It all starts with the fact that a client, whether an individual, a legal entity or an individual entrepreneur, enters into a contractual relationship with a credit institution that has a Bank of Russia license to carry out banking activities.

    The client transfers cash to the bank, the bank accepts it and reflects it on the bank account specially established for accounting of settlements with the client. If the client puts money into the bank, then the balance in this account increases, if it takes, it decreases.

    After the client has put cash into the bank, they turn into non-cash money, which, if greatly simplified, not even money, but the bank’s obligations to do certain services for the client, which include the issue of cash to the client, money transfer, and so on .

    In addition to the receipt and withdrawal of cash, the client's bank account can increase and decrease due to the receipt of non-cash transfers from third parties and the execution of transfers to third parties, respectively. It is important to note that non-cash money is not the obligation of the entire banking system, but the obligations of the bank where the corresponding bank account is opened. This awareness comes especially brightly if the bank serving this account goes bankrupt. Then the money (account balance) seems to be there, but it is impossible to use it.

    Bank accounts are different. Clients - individuals - open current or special card accounts at the bank. Clients - legal entities - open bank accounts with banks. To carry out settlements, banks open correspondent accounts with other banks. Without going into details, the functioning of all these accounts looks approximately the same: an increase in the account balance leads to an increase in the obligations of the bank in which it is open, and vice versa, a decrease in the balance reduces the bank's obligations. For simplicity, in the future we will consider only work on settlement and correspondent accounts.

    At this stage, the bank for us will consist of two main parts:

    1. a register of bank accounts containing the values ​​of balances on customer accounts;
    2. cash of the bank, consisting of the money of all customers and own funds of the tank.


    Fig. 2

    One of the main sources of bank income is lending. The bank transfers the money for temporary use to the client, and he returns them with interest. To ensure this type of business, the bank needs money that it will give on credit. And here just come into play the money of customers stored in accounts in non-cash form.

    The main idea is that the bank never contains all the money clients. Instead, the bank keeps a statistical record of customers' activities and “very accurately guesses” how much money they may need for current settlements. The remaining money is allocated by the bank for lending.

    Payment Mechanisms


    Consider how a non-cash payment is made between the payer and the recipient (hereinafter we will call them customers), served in the same bank.

    Transaction 1 .
    A client makes transfers to the Client B . For its execution, the Bank reduces the balance of funds in the settlement account of Client A by the amount of the transfer and increases the balance in the account of Client B by the same amount . The total amount of money in the bank does not change.

    When calculating cash, payments are always of the same type: the payer voluntarily transfers the required amount of money to the recipient. When using non-cash payments, settlement schemes may be different:

    1. the payer may, at his own discretion, order the bank to make a payment to the recipient at the expense of funds in his bank account - settlements on payment orders ;
    2. the recipient may request from the bank in which the payer account is open, to make a payment to his address if there is an agreement with the payer or in cases stipulated by law. In this case, the payment can be made with the acceptance of the payer - settlement according to payment requirements, or in an unapproved order - settlement according to collection orders ;
    3. the payer and the recipient may agree that the bank will make a payment to the recipient, provided that the latter submits to the bank the pre-agreed documents confirming the fact of the transaction - settlement under letters of credit ;
    4. and other forms that can be found in clause 1.1 of the Bank of Russia Regulation dated 19.06.2012 N 383-P “On the Rules for Transferring Funds” .

    The most common form of settlement is payment order settlement.

    Regardless of the forms of settlement used, the Bank reports to the client for all transactions made on its account by submitting a special document - account statement .

    A payment order and account statement are the main legally relevant documents used by the client and the bank for accounting purposes and litigation in court.

    It is important to note that if the client received a payment to the current account and it was reflected in the account statement, then the bank does not have the right to return the payment to the sender, even if it was committed by mistake or maliciously. Refund is possible only by agreement with the recipient or by court order. The maximum that a bank can do is, guided by the legislation on counteracting the legalization of proceeds from crime , block funds in the beneficiary's account.

    Note The
    Civil Code of the Russian Federation (Civil Code, Article 1102. The obligation to return unjust enrichment ) requires the recipient to return the funds to the sender if they were sent unreasonably or by mistake.


    Direct correspondent relations


    Earlier, we examined how the transfer occurs between customers served in the same bank. Now we complicate the task and consider how settlements are made between customers served in two different banks.

    To conduct interbank settlements, banks must establish correspondent relations between themselves. The essence of these relations is that one bank, in the diagram below (Fig. 3) is Bank 2 , becomes a client of Bank 1 and opens a special bank account in it, called a correspondent account. After the opening of the correspondent. account Bank 2 brings him some money, a kind of a cash buffer in the amount which clients of the Bank 2 will be able to send payments to customers of the Bank 1 .


    Fig.3

    To understand how this works, consider an example. Let Bank 2 posted on the correspondent. Bank account 1 , say, 1 million rubles.

    Transaction 2 .
    Customer B served by Bank 2 wants to send to Customer A served by Bank 1 , for example, 500 thousand rubles. To do this, he generates and transfers to Bank 2 a payment order, in which he indicates Client A as the recipient , and indicates 500 thousand rubles as payment amounts. Bank 2 , having received the order of Client B , sees that the payee is Client A , served by Bank 1 . Then Bank 2 transfers to Bank 1write off the order from his correspondent. accounts of 500 thousand rubles and credit them to the bank account of Client A , and after that Bank 2 reduces the balance in the bank account of Client B by 500 thousand rubles.

    Transaction 3 .
    Now consider an example in which Client B sends to Client B 2 million rubles. To do this, Client B sends the corresponding payment order to Bank 1 . Bank 1 deducts 2 million rubles from Client’s current account B and credits them to the correspondent. Bank 2 account , after which it transfers to Bank 2 a payment order from Client B , upon receipt of which, Bank 2 increases the balance in the current account of Client B by 2 million rubles.
    After transactions 2 and 3 on correspondent. Bank account 2 will be 2.5 million rubles.

    Transaction 4 .
    What happens if Client B sends 3 million rubles to Client A ? Everything will be the same as when considering transactions 2 and 3, except that the payment will not be executed until Bank 2 increases the balance by correspondent. account for the missing 500 thousand rubles.


    Bank of Russia payment system


    The payment mechanism between the two banks that we just examined is simple, but it has a significant drawback in terms of scalability. With a large number of banks, the establishment and maintenance of correspondent relations of each bank with each is difficult to implement. Therefore, the main instrument for making interbank money transfers in the Russian Federation is the Bank of Russia payment system .


    Fig. 4

    The main idea of ​​this payment system is that the Bank of Russia acts as a single point to which all banks are connected, and through which payments pass from one bank to another.

    Each credit institution, upon registration and obtaining a banking license, opensBank of Russia correspondent account.

    In order to be able to distinguish one bank from another, they are assigned bank identification codes (BIC). The Bank of Russia regularly updates and publishes a BIC directory on its website. Knowing the BIC, this directory can also determine the number of correspondent. bank accounts opened with the Bank of Russia. The combination of BIC and the current account number uniquely identifies the customer's current account within the entire payment system of the Russian Federation.

    Let us consider how an interbank payment will be made using the Bank of Russia payment system. We take as a basis the interaction of customers and banks, illustrated in Fig. 4.

    Transaction 5 .
    Client G makes payment to customers in . To do this, he sends to his bank ( Bank 3 ), a payment order , in which he indicates Client B as the payee .
    Bank 3 , having received a payment order from Client D , sees that the payee ( Client B ) is not his client, and forwards the payment order to the Bank of Russia .
    The Bank of Russia reduces the balance of the payment by the amount of payment. Bank account 3 and increases by the same amount the balance on correspondent. Bank account 2(Bank of recipient). After that, the Bank of Russia sends a payment order in the Bank 2 and sends the Bank 3 notice of the commission payment, which in turn reduces the balance on the current account of the Client T .
    Bank 2 , having received notification from the Bank Russia , increases in the current account balance Client B . Both banks - Bank 2 and Bank 3 - reflect the cash flow on settlement accounts in statements and provide them to customers.

    If there are several options for cash flows, such as between Client B and Client C in Fig. 4, the sending bank decides on the routing of the payment: using direct correspondents. relations or through the payment system of the Bank of Russia - depending on the parameters of the payment, its cost and other conditions.

    Money transfers in the payment system of the Bank of Russia are carried out:

    1. in real time using the service of bank electronic urgent payments (BESP);
    2. in discrete mode using the mechanisms of intra-regional electronic calculations (VER) or inter-regional electronic calculations (MED).

    In real time, payment processing is similar to using a taxi. The payment goes to the Bank of Russia and is immediately processed. In discrete mode, payment processing is similar to passenger transportation by bus. Payments are first accumulated, and then all are processed in a heap. During the operational day, the Bank of Russia performs several such flights.

    The schedule of flights accepted in the Moscow region is published on the Bank of Russia website and consists of five flights:
    Flight numberPeriod for receiving electronic documentsPeriod for processing electronic documentsProcessing time
    First flight10:00 - 11:0011:00 - 12:00from 12:00
    Second flight11:15 - 14:0014:00 - 15:00from 15:00
    Third flight14:15 - 16:0016:00 - 17:00from 17:00
    Fourth flight16:16 - 18:0018:00 - 20:00from 20:00
    Final flight19:00 - 21L0021:00 - 22:00from 22:00

    Bank of Russia tariffs for making payments through BESP are higher than in discrete mode.

    Transfers at the expense of banks own funds


    Prior to this, we discussed how banks execute customer payments. Now we will consider how the bank makes its own payments, for example, buying paper, paying for electricity, communication services, etc.

    By and large, everything is done exactly the same as in the case of customer payments, only the bank pays not from the current account, but from one of its correspondent accounts. This fact often leads the bank's inexperienced counterparties into a stupor, and they intrusively require the bank to have its current account number, while banks usually do not have current accounts. The rest is the same: a payment order is formed, then it is transferred to the bank, where the correspondent is open. account, that bank executes it and answers the account statement.

    Conclusion


    In this part, we got acquainted with the basic principles and mechanisms associated with the implementation of cashless transfers of funds in the Russian Federation. In the next part, we will consider the bank’s IT infrastructure used for transfers, and especially the part that is responsible for the implementation of correspondent relations with the Bank of Russia.


    Also popular now: