Critical risks during core banking transformations

What happens to your heart when it remains wide open during a surgery? In other words, how to manage critical risks when banks go through core banking transformations?

Banking transformations are like heart surgeries. As banks’ ultimate goal is to serve their clients in the best possible way and these services are provided through core banking, it is not hard to imagine that core banking is the heart of banks. So, what happens when you go through a heart surgery and your heart remains wide open for a certain period of time?

Unlike real surgeries that last a few hours, core banking transformations last couple of months. Therefore, critical risks that may be encountered during this period is highly elevated. As TechTarget states, the entire banking sector relies on core banking systems, even very small banks – regardless of their sizes, will be required to invest in information security policies and solutions to safeguard their customers, their own reputation, and for compliance during the transformation periods.

Risks are present at all corners. Many IT changes (program change, data migration, user configuration, etc.) are operated by bank’s IT admin and external consultants during the project. All these important changes need to be appropriately authorized, recorded, tracked and audited to ensure that the change in the management process is under control. An update in banks’ core-banking system may easily lead to an overlap of rights in various areas. This may have an impact on the transaction process and open the door to possible frauds. For example, migrating the data from the old to the new system may easily give an opportunity for fraudsters to manipulate data. It is essential to ensure that the security measures complying with the bank’s change management process are respected.

Access is an important ingredient in any bank fraud. Staff in certain crucial roles have generally greater user privileges than most of their colleagues. They will therefore have a much higher degree of access to the system and the ability to change and update it without necessarily attracting any scrutiny. During a major upgrade, in addition to the privileged users, many bank employees may find themselves with an uncontrolled access to the bank’s IT systems. This enables fraudsters to steal/alter sensitive information, execute illicit transactions and remove evidence of their activities. Activities such as changing the name of an account owner or an address will easily go unnoticed. 

Here is an example of a real fraud case that has happened at a bank. When the core banking system is not live for a certain period of time, some transactions may be performed manually. Staff compile false order withdrawals on behalf of the customer, not registering them in the customer’s file or card. Then, they manipulate interest accruals by increasing them fictitiously. Hence, the customer’s deposit is debited (the money is used for foreign exchange transactions) and the interest accrued (i.e. the liability side) is credited (Kristo, 2011).

Due to these critical situations, banks need to employ a powerful auditing process that is not only continuous but also multi-channel & multi-layer. A rigorous risk management should be planned long before so it is successfully implemented during the project. In particular, the activities of IT administrators and database administrators should attract special attention within a bank’s security monitoring and it is vital that staff such as these with high user privileges are not able to bypass audit trails and operate “below the radar”.

A robust IT admin monitoring is possible even during the high-risk periods when lots of system changes take place and there are gaps in the process. For instance, NetGuardians’ Command Tracking System (CTS) and SQL Tracking System (STS) is able to log any sensitive changes conducted on the bank’s IT infrastructure. It relies on a non-intrusive technology that provides real-time and continuous auditing of admin activities without zero impact on bank’s core banking. Even when users operate changes with generic admin accounts, banks are able to identify fraudsters thanks to the generic user account mapping with real user name. The technology also provides banks real-time alerts even when the non-compliant activities happen outside of business hours.

Used together with controls that are plugged into NetGuardians’ enterprise software platform, banks continuously analyze and correlate user activities and transactions from multi-channels (i.e. front office, back office, ATM, mobile banking, e-banking) and IT layers (i.e. network, operating system, databases, applications). Correlating activities from different channels and layers, banks are able to spot fraudsters even in the very early stages when they are preparing the fraud case. 

A core banking transformation is a project that involves an enormous amount of investment and time, along with critical risks that easily arise due to the gaps in process. Risk management should be properly planned before the core banking transformation and successfully implemented during and after this period. After all, you need to properly prepare your mind, body, and soul, take precautions before, during, and after a heart surgery.

I wish you all a healthy and prosperous life!


John Kiptum
NetGuardians Risk Consultant

Do you have questions?

You may learn more about banking fraud in our free eBook "A-Z of Banking Fraud 2016".

Kristo, Elsa (2011). Special conference paper: Being aware of the fraud risk. Bank of Greece Eurosystem.