Core Banking Solutions

For,
ICITSS – CA
ICAI
 What is Core Banking?
• Core banking is a banking service provided by
a group of networked bank branches where
customers may access their bank account and
perform basic transactions from any of the
member branch offices.
• To understand this concept lets first
understand what is Banking?

[email protected] 2
 Banking
• The word 'bank' is used in the
sense of a commercial bank.
• It is of Germanic origin though
some persons trace
its origin to the French word
'Banqui' and the Italian word
'Banca'.
• It referred to a bench for
keeping, lending, and
exchanging of money or coins
in the market place by money
lenders and money changers.

[email protected] 3
 Banking
• Banking is associated with finance
• A bank is an institute that takes care of
peoples finance.
• A bank is a place where people deposit their
spare funds for which they earn some interest,
while others can borrow if they require by
paying some interest.

[email protected] 4
 Traditional Banking System
• In a traditional banking system, an individual or a firm
that opens an account with the bank can get its
transaction only through that bank or branch.
• Eg. If you have opened your account with SBI bank,
Ring Road Branch, then your transactions will be
limited to such branch.
• This means:
– To deposit the money,
– To withdraw the money,
– To transfer your funds,
– To deposit your cheques, etc. you will have to visit your
branch.

[email protected] 5
 Traditional Banking System
• In TBS, the transactions are limited to the
branch of your bank.
• In case of any transaction happening outside
of the branch, you will have to wait for such
funds to be reflected in your branch for days.
• In TDS, one cannot deposit money from any
other branch or city.
• This became a limitation for people doing
multicity and multi national business.
[email protected] 6
History of Banking - Video

[email protected] 7
 Core Banking System
• Core banking, is a solutions to the issues of traditional
banking system.
• In CBS, though your account remains with the home
branch, but you can access your account from any branch
of the same bank.
• Meaning, if you have your account in SBI Ring Road Branch,
you can still access your accounts from any SBI branch
within the nation.
• Meaning, you can make deposit and withdrawal
transactions from any branch of the same bank.
• This is because the bank now maintains a central database
of the accounts that can be accessed from any branch of
the nation.

[email protected] 8
CBS Working

[email protected] 9
 Core Banking
• This word is more often used by bankers and
now-a-days postal officials are also using it.
CBS is an acronym of Core Banking Solutions.
Again one will wonder what the meaning of
core is, core is also an acronym. It stands
for "Centralized On-line Real-time Exchange".

[email protected] 10
 Core Banking
• Core Banking Solution (CBS) is networking of branches,
which enables
• Customers to operate their accounts, and avail banking
services from any branch of the Bank on CBS network,
regardless of where he maintains his account. The
customer is no more the customer of a Branch. He
becomes the Bank’s Customer.
• Another interesting fact regarding CBS is that all CBS
branches are inter-connected with each other.
Therefore, Customers of CBS branches can avail various
banking facilities from any other CBS branch located
anywhere in the world.

[email protected] 11
[email protected] 12
Core Banking Technology

[email protected] 13
Core Banking Technology

[email protected] 14
 Transaction Validation in CBS
• Application server hosts the core banking application
like Finacle, Flexcube, Quartz or Bankmate, etc
• This server has to be a powerful and robust system as it
has to perform all the core banking operations.
• The branch does not have the entire application. It will
have only a version which is called the “client version”
of the application.
• The client version of the application is capable of only
entering the data at the end point that is branches.

[email protected] 15
 Transaction Validation in CBS
• The validation is a complete process in the computer so
that it ensures that data that is fed in conforms to certain
prerequisite conditions
• e.g., if an operator keys in data for withdrawal of money ,
the account number of the customer would be entered by
the operator naturally.
• But there would be a built in control so that further
processing would be entertained only after the systems
verifies that the account number which is now entered is
already in the data base i.e., it is an existing customer.
• After the data is validated at the branch, it would be sent to
the application server in the centralised data centre.

[email protected] 16
 Transaction Validation in CBS
• The application server (which houses the banking software) after
receiving the data performs necessary operations and updates the
central data base etc.,
• Customer “A” deposits Rs.10000/- is passed on to the data centre.
• The application server performs necessary operations and this
updates the account of the customer “A” in the data base server.
• The customer may do some other operation in branch “Y”. The
process is validated at branch “Y” and the data is transmitted to the
application software at the data centre.
• The results are updated in the data base server at the centralised
data centre.
• Thus it would be observed that whatever operations a customer
may do at any of the branches of the bank the accounting process
being centralised at the centralised data centre is updated at the
centralized data base.

[email protected] 17
 Transaction Validation in CBS
• The application software which is in the application server is always
to be a latest version as accepted after adequate testing;
• the application software is never static and would require some
changes to be effected either due to any bugs discovered or a
change in this process or any other justified reason.
• Such changes are never made directly into the live application
server.
• These changes are made to a separate server called a test server.
The programs are debugged and certified that the program is now
amended as required and performs as expected.
• The changed and latest application software will be moved into the
application server under proper authority. Earlier version would be
archived.
• The latest copy of the software would always have a back up copy.

[email protected] 18
 Components of CBS
• Data Centre
• Data Networks
• Database Servers
• ATMs
• Internet Banking
• Antivirus Software

[email protected] 19
 Database Servers
• The Data Base Server of the Bank, as already observed contains the entire data of the Bank.
• The data would consist of various accounts of the customers, as also certain master data e.g.,
master data are – base rates FD rates, the rate for loans, penalty leviable under different
circumstances, etc.,
• Application software would access the data base server.
• The data contained in the data base has to be very secure and no direct access would be
permitted to prevent unauthorised changes.
• Strict discipline is followed regarding the maintenance of the data base server. There is a
designated role for maintenance of the data base. This individual who performs the role is
called the Data Base Administrator. His activities will also be monitored as all changes made
would be recorded in a Log. Scrutiny of the log would disclose the type of activities and the
effect of such activities.
• Security aspects of data base server are an audit concern. Apart from the normal application
server, the Automated Teller Machine server (ATMS) and Internet Banking Application Server
(IBAS) would also access the Data Base Server. However, it would be only through VLAN.
• It must be noted that whatever be the operation that the customer has performed, etc., at
the branch, through ATM, by Internet, mobile banking or any other alternate delivery
channels his account at the Centralised Data Base would be updated.

[email protected] 20
 ATM Server
• This server contains the details of ATM account holders.
• Soon after the facility of using the ATM is created by the Bank, the details of such
customers are loaded on to the ATM server.
• When the Central Data Base is busy with central end-of-day activities or for any
other reason, the file containing the account balance of the customer is sent to the
ATM switch.
• Such a file is called Positive Balance File (PBF).
• Till the central data base becomes accessible, the ATM transactions are passed and
the balance available in the ATM server.
• Once the central data base server becomes accessible all the transactions that
took place till such time as the central data base became un-accessible would be
updated in the central data base.
• This ensures not only continuity of ATM operations but also ensures that the
Central data base is always up-to-date.
• The above process is applicable to stand alone ATM at the Branch level. As most of
the ATM are attached to central network the control is through ATM SWITCH only.

[email protected] 21
 Internet Banking Database Server
• Just as in the case of ATM servers, where the details of all the account holders who have ATM
facility are stored, the Internet banking data base server stores the user name, password of
all the internet banking customers.
• IBDS (Internet Banking Data Base Server) software stores the name and password of the
entire internet banking customers (Please note that the ATM server does not hold the PIN
numbers of the ATM account holders).
• IBDS server also contains the details about the branch to which the customer belongs. The
Internet Banking customer would first have to log into the bank’s website. The next step
would be to give the user name and password.
• The Internet Banking software which is stored in the IBAS (Internet Banking Application
Server) authenticates the customer with the log in details stored in the IBDS.
• Authentication process as you know is a method by which the details provided by the
customer are compared with the data already stored in the data server to make sure that the
customer is genuine and has been provided with internet banking facility.
• The IBDS is located in a demilitarised zone.
• It has a separate VLAN that connects a proxy server, mail server, web server and IBAS.

[email protected] 22
 Internet Banking
• Internet Banking refers to banking transactions routed through the
Internet.
• This facility permits registered customers of the bank to perform banking
operations at any time of the day from any computer - now it may also be
possible to do it from a cell phone.
• No doubt, Internet Banking facilitates banking through the medium of
internet. However, it also needs specialized software and hardware. The
internet as you all know is a public network. Hence proper security
features are built into the system to maintain confidentiality and integrity
of the data that is being transferred through the internet.
• Some Banks provide this facility automatically soon after a customer
opens an account with them. Some others require a special request from
the customer to provide this facility.
• The main components of Internet banking system consist of Web Server,
Internet Banking Application Server (IBAS), Internet Banking Data Base
Server (IBDS), Middleware, and Central Data Base Server.

[email protected] 23
Internet Banking Video

[email protected] 24
 Anti Virus Software in CBS
• In the Core Banking Solution as there is a Centralised Data Centre
and also as there was a Centralised Data Base server, application
server etc., the Anti Virus Software was also available only in the
Centralised Data Centre.
• This copy of the Anti Virus Software was updated promptly and
regularly at the Data Centre and pushed into all of the servers and
in all the systems in the branches by push pull method
• Some Banks had, for back up purposes as also for business of the
bank continuity planning had decided to have servers in the
different branches.
• All the servers also were updated with the latest Anti Virus
Software automatically every day as day beginning operations.

[email protected] 25
 Anti Virus Programme in TBA
• In the pre Core Banking Solution scenario, when Total Branch
Automation systems were in force updating the Anti Virus Software
was yet another problem.
• As separate servers not connected to each other or to the Data
Centre at the head office were in existence each of the server had
to be updated with the latest version of the Anti-Virus Software
separately.
• While in theory, it was agreed and presumed that all of the
branches would have latest version of the Anti Virus Software, it
was practically not so.
• As each one of the servers had to be updated manually with the
latest version, the logistics proved to be inadequate with the result
different versions of the Anti Virus Software were in existence in
the different servers in the various branches.

[email protected] 26
 TBA Vs. CBS
• Total Branch Automation System is what
existed before CBS
• It is the successor of ALPM (Advanced Ledger
Printing Machines)
• Components of TBA
• Issues of TBA

[email protected] 27
 Total Branch Administration (TBA)
• In the Total Branch Automation system each branch
was performing the branch operations in totality at the
respective branch.
• The final output was transmitted to the head office.
The data was transmitted either on a CD or a Floppy.
• The information on this media was processed at the
Central Office for consolidation of accounts and
preparation of reports.
• As each branch was self reliant in as much as all the
information regarding the branch operations was
available at the server located at the branch.

[email protected] 28
 TBA Technology
• There would be a server which would be either in the
Branch Manager’s room or more commonly kept in a
separate air conditioned enclosure with a separate
entrance, so that entry to the server room can be
restricted.
• At the most the Systems Administrator may be inside the
cabin along with the server.
• There would be four or five nodes or more depending upon
the need of the branch or the volume of transactions. Each
of the nodes would be connected to the server.
• The server would have the application systems as also the
data base.

[email protected] 29
 TBA Technology
• The bank as a whole would have one banking software which might have been
developed in-house or purchased from an outside vendor.
• A copy of this software is loaded in each of the servers in all the branches of the
bank.
• The server also hosts data base of the branch.
• The data base would have a master data, and all the details of the transactions
entered into.
• The master data consists the data relating to standing information like the name,
address of the customer interest payable on all Deposits.
• This would have the details of interest payable for various Deposits with different
tenures eg. 8.5% pa, 9% pa 9% for two years and so on.
• Additional/ concessional interest for senior citizen, staff members, educational
loan for girl child, various concessional rates during festive seasons etc.
• Transactions of the customers would be stored account-wise, so that it would have
the opening balance and the details of the transactions which have taken place.
• The application software which is also residing in the server at the branch actually
does the banking operations.

[email protected] 30
 TBA Vs. CBS
• Branch based • Centralized Solution
• LAN • WAN
• Branch wise EOD • Centralized EOD
• Decentralized Interest • Centralized application
and charges application of interest & charges
• Version incompatibility • Bank wise same version
• Amalgamation required • Centralized report for
for bank wise report Bank as a whole
• Less costly • High initial cost
• Branch wise database • Bank wise database
• Branch level Operator, • Bank level DBA, System
DBA admin
[email protected] 31
Data Centre and Network Connectivity
1. Application Server
2. Database Server
3. ATM Server
4. Web Server
5. Antivirus Server
6. Internet Banking Application Server
7. Internet Banking Data Base Server
8. Proxy Server
9. Mail Server

[email protected] 32
 1. Application Server
• An application server is
a component-based
product that resides in
the middle-tier of
a server centric
architecture. It provides
middleware services for
security and state
maintenance, along
with data access and
persistence.

[email protected] 33
 2. Database Server
• A database server is a computer program that
provides database services to other computer
programs or to computers, as defined by the client–
server model. The term may also refer to a computer
dedicated to running such a program. ...
Mostdatabase servers respond to a query language.

[email protected] 34
 4. Web Server
• A Web server is a
program that uses HTTP
(Hypertext Transfer
Protocol) to serve the
files that form Web pages
to users, in response to
their requests, which are
forwarded by their
computers' HTTP clients.
Dedicated computers and
appliances may be
referred to as Web
servers as well.

[email protected] 35
 Proxy Server
• A proxy server is a dedicated computer or a software
system running on a computer that acts as an
intermediary between an endpoint device, such as a
computer, and another server from which a user or
client is requesting a service.

[email protected] 36
 Mail Server
• A mail server (or email server) is a computer system
that sends and receives email. ... Mail servers send
and receive email using standard email protocols. For
example, the SMTP protocol sends messages and
handles outgoing mail requests.

[email protected] 37
 Functions of IT Dept. in CBS
• Security Administration
• System Administration
• Database Administration
• Network Administration
• Librarian
• Changed Management Procedures
• Application Software
• Organization Structure of IT Dept.

[email protected] 38
 Security Administration
• It is advisable and necessary for all organizations including banking
to have a security policy which is approved at the Board level. The
officer in charge of the security administration is expected to
understand the policies and procedures mentioned in the security
policy.
• He should be able to assess the risks for non compliance. His duties
would include deciding on access rules to data and other IT
resources.
• There will be separate set of people who will be Issuing of user ID
passwords and manage it.
• Monitoring the security architecture constantly with a view to
ensuring that there are no weak points which can be exploited is
the duty of security administrator.
• Security administrator should not have any access to transaction
level data.

[email protected] 39
 System Administration
• The Systems Administrator has the powers to create,
modify and delete users in accessing the system.
• The individual is to be technically competent. He is also
expected to have a proven record of integrity. His duties
would briefly include the following:
– User creation
– User deletion
– Locating a branch code and providing connectivity to the branch
– Creation of new products
– Defining interest rates for deposit loans and other products.
– Be responsible for processing of end of day operations and
beginning of day operations.
– Be responsible for introducing latest application of the program.

[email protected] 40
 Database Administration
• As the very name indicates, the Data Base Administrator is
the custodian of the bank’s data.
• He is responsible for ensuring that access is given to the
Central Data Base in a secure manner in line with business
requirements.
• His responsibilities would include
– Ensuring data integrity
– Ensuring data availability
– Ensuing security to access data
– Importantly ensure recoverability of data in case of system
failure
– Maintaining size and volume of database and corresponding
processes

[email protected] 41
 Network Administrator
• Networking, generally and more specifically in a core
banking environment plays a very significant role.
• The Network Administrator has the following
important responsibilities:
– To place routers, switches and hubs at the appropriate
places and ensure a secure network configuration.
– Sensitive devises like firewalls and intrusion detection
systems/ IPS need to be strategically placed to ensure
security for the network.
– At periodical intervals arrange for vulnerability assessment
and penetration tests to take corrective action whenever
these tests throw up weak points.
[email protected] 42
 Librarian
• In a computerised environment, the Librarian has got similar functions excepting
that instead of dealing with books, he will be dealing with software.
• As we are aware, the software, which is being developed and tested, would be
clear as a complete product ready for use by the Project Leader. Such a program
then moves from a test environment into the production environment. But there is
an intermediary process by which the Project Leader hands over the finished
product to the Librarian.
• The Librarian maintain records of the various versions of the program records all
the various versions of the program just as we have different editions of a book
and generally a later edition is expected to be important over the earlier one.
Similarly, software may have different versions and it is extremely important to
remember them and this number is referred to as the version number.
• The Librarian has the following responsibilities:
– Moving the correct version of the software into production environment.
– Maintain detailed documentation of all receipts and issues of software.
– Keep a record of all licenses obtained for the usage of software.
– Be in charge of user manual and system manual

[email protected] 43
 Changed Mgt. Procedures
• In the normal course, due to any change in the business process or
upgradation of technology or due to program bugs discovered
subsequent implementation changes are warranted in hardware,
software and communication systems.
• There needs to be a well documented procedure in place and a
strict adherence to such procedure.
• Changes to hardware and communication systems need to be
entered in a register apart from a softcopy of the register being
available on the system. The latest copy of the network program
should always be available.
• These documents should always be maintained up to date
incorporating all the changes and the dates when such changes
have been incorporated.

[email protected] 44
 Application Software
• There needs to be a control on the various versions of software. At the stage of
initial implementation of the software (for the first time software which has been
debugged thoroughly moved from the test environment to the production
environment) a specific version number should be provided e.g. CBS Version No:
1.1.
• There needs to be a document which contains details regarding the Version No.
and date of implementation.
• There should be a specific request from an authorised person like the Manager of
the user department.
• The request should be approved by the person in charge of the Systems
Department.
• Changes to programs should necessarily be made in the test environment.
• After thoroughly debugging the program, the corrected program would be handed
over to the Librarian.
• The Librarian would then give the next Version No. for the changed program, e.g.
Version No: 1.2 (as compared to the previous Version No:1.1).
• The documentation would contain details of the changes made and the date when
it was made.

[email protected] 45
 Organization Structure of IT Dept.
• The standard for the organization structure for the IT Department is the
same whether it is a banking environment or any other. The standards
stipulate as follows:
– Production environment should be different from development environment.
– In the development environment all aspects of the program viz., functionality, built in
controls, etc., will be tested by both the users as also the programmers.
– The programmers would test it first and then it would be provided to the user
department for them to test it. This version is called the ‘beta version’. Various types of
tests like unit test, system test, and integration test conducted at this stage.
– After it has been tested by the users also, the Project Leader would hand over the
software copy to the Librarian, who after completing the necessary documentation,
transfers the program into the production environment. This is also known as user
acceptance test (UAT)
– No one in the development and testing environments should have access to the
production system.
– Production system is in a live environment and is accessible only by authorized users.
– Under no circumstances, should there be any connectivity between a test server and a
production server. [email protected] 46
 Organization Structure of IT Dept.
• Incompatible Function:
– There are certain incompatible functions which under no
circumstances should be performed by the same individual. The
Matrix provided below highlights the functions which are
incompatible and those which are not.
Help DBA Network Security Tape
Desk Admin Admin Librarian
Help Desk ------ X X X

DBA X ------- X

Network X X ------ X
Admin
Security ------ X
Admin
Tape X X X --------
Librarian
[email protected] 47
 Operations of CBS Branch
• Branches in a Core Banking Solution do not have
independent operation in the sense that a copy of the
application software or a copy of the database of the
customer is not separately available in the branch.
• Branches are connected to the central data centre, wherein
there are separate servers housing the application
software, data base as also antivirus software.
• Users at the branch have to be created by the System
Administrator at the central data centre after due
authorisation by the Branch Manager.
• Even a Branch Manager will not be able to create his own
user access rights as everything is centralised.

[email protected] 48
 Operations of CBS Branch
• At the Branch all operations that take place normally in
an banking environment do take place; however, all
master data are parameterised at the central office
e.g., FD rates for various time periods, penalty, interest
payable for premature closure, rates for different loans,
interest rates applicable for staff members for loans
and deposits, rates applicable to senior citizens etc.,
are to be decided centrally and parameterised at the
central office.
• There is no possibility of any changes being made at
the Branch as they have no rights to do so.

[email protected] 49
 Operations of CBS Branch
• Access Control Procedures
• Server Related Procedures
• Physical and Environmental Controls
• Network Related Procedures
• ATM Configuration
• Business Continuity Planning & Disaster
Recovery planning

[email protected] 50
 Access Control Procedures
• The system should prompt for change of password during the first
log in.
• There should be a maximum number (usually 3) of failed log in
attempts. The rationale for this requirement is to prevent multiple
guesses being made by unauthorized user.
• There should be a procedure for reviving such accounts which
should have been deactivated.
• All USB ports, the CD Rom drives should all be disabled. This is
necessary to both prevent unauthorised data or software being
loaded and also to prevent any leakage of data and information.
• If this facility is not strictly adhered to, the possibility of virus being
introduced into the system is very high & there is a chance of data
loss/ leakage to unauthorized user.

[email protected] 51
 Server Related Procedures
• Generally there should be no servers available at the
branch. However in some instances a local server is
installed to get over slow connectivity problems.
• Under such circumstances, the local server serves as a
temporary storage.
• The discipline connected with the local server is as
important as any server and there should be a specially
designated branch system administrator who would be
having a specific password to access the server.
• A copy of the password should be kept in a sealed cover
under the control of the Branch Manager, so as to enable
him to utilize the same should the system administrator of
the branch be not available on any day.

[email protected] 52
 Physical and Environmental Controls
• Moisture and temperature in the room where the
server is located should be under control.
• There should be no inflammable material stored in the
server room.
• In some instances, it is not uncommon to find bundles
of paper and some thermo cool boxes being stored
safely in the server room which need to be reused
immediately.
• There should be a fi re extinguisher in the room, which
should always be in an active condition with the refills
of gas being done at regular intervals or there should
be other mechanized process for extinguishing the fire.

[email protected] 53
 Network Related Procedures
• Network devises like the router, switches and hubs
should be secured.
• Unused routers, switches and hubs should be
protected, if not they could be misused and there
could be unauthorised use of handling the system but
also leakage of important data.
• All network cables should also be protected properly.
There are instances when these cables are running
outside the building without being properly encased.
• Unprotected cables have the potential for being
hacked.

[email protected] 54
 ATM Configuration
• ATM cards which are awaiting to be handed over to the customers should be secured with a
lock and key.
• There should be regular reconciliation procedures for the stock of ATM cards.
• There should be procedures to update core banking solutions with details of cards issued to
the customers. This would prevent the possibility of usage of the card before it is issued to
the customers.
• Frauds do occur when ATM cards and Pin mailers are not kept separately & securely.
Especially the ATM cards should be with one officer and the Pin Mailer should be with
another officer. Under no circumstances both the ATM cards and Pin Mailers are kept
together. When they are kept together any employee can pick up the ATM card and a pin
mailer with similar address and try using them fraudulently at the ATM. Such occurrences of
fraud have been reported several times.
• When ATMs are attached to the branch, there should be procedures for loading cash,
recording and reconciliation of cash.
• The master key of the ATM should be under dual control. The ATM journal rolls should be
stored safely in the branch as they form an important document for reconciliation purposes
& for detecting any unauthorized use/ transaction
• There should be strict procedures for dealing with swallowed card.
• There should be clear procedures for dealing with cash which is in the reject bin.

[email protected] 55
Business Continuity Planning and Data
Recovery Planning
• There should be a document detailing the Disaster
Recovery procedures as well as Business Continuity
Planning.
• There should be evidence of having created awareness
amongst the employees for action to be taken for DRP
and BCP.
• There should be evidence of periodic drills having
taken place. This would act as a proactive control.
• There should be clear documentation and alternate
connectivity being established by the banks with the
data centre in case of their being a brake down in the
primary connectivity.

[email protected] 56
Security Controls at Data Centre & CBS
Branches
1. Information Security Policy
2. Access Control Procedures
3. Procedures connected with branch servers
4. Physical and environmental control for the servers
5. Network & Communication control
6. Limited verification of applications
7. Operations connected with ATM/ Internet Banking
8. Business Continuity Plan
9. Change control procedures
10. Others

[email protected] 57
 Summary
• The following topics are covered in this presentation:
– Introduction to Core Banking
– What is Banking? History of Banking.
– Traditional Banking Vs. Core Banking
– Core Banking Working and Technology
– Transaction Validation in CBS
– Components of CBS
– Functions of IT Dept. in CBS
– Total Branch Administration System
– TBA Technology, Validation, Merits and DeMerits
– TBA Vs. CBS
– Organization Structure of IT Dept. of CBS
– Operations of CBS Branch
– Security Controls at Data Centre & CBS

[email protected] 58
 Thank You
• You can follow the author on tweeter using
the following tweet handle
– @DrVishalVaria

[email protected] 59