'There is nothing more powerful than an idea whose time has come'.

What does better customer service mean in today’s time? Increasingly, customers are demanding more convenient ways to do their banking. An Ernst and Young study (Technology in Banking 1997 Report) concluded that "Banking is not banking in today’s world if customers cannot get financial services when and where they wish. This means anywhere, at any time." Statistics show that ATMs, telephone banking, and home banking account for over fifty percent of all banking transactions today over the world, and total non-branch activity is growing at fifteen percent a year. In one survey, eighty-two percent of 18 to 34-year-olds polled, preferred banks with 24-hour service. As the younger "Pac-Man generation" ages, they and their techno-savvy children will make up a larger and larger portion of a bank's total customer base. Banks will absolutely have to offer their customers the ability to bank from their PC in order to remain competitive. Customers are also demanding a more sophisticated mix of products tailored specifically to their financial needs, and non-bank competitors are better fulfilling these needs. Banks today hold only 20% of household financial assets, versus 34% twenty years ago; they have 30% of business deposits, versus 42% only seven years ago. Non-bank credit card providers have gained inroads against banks, holding a 25% market share versus 5% in 1986.

Internet banking would offer an attractive solution to this imperative for redesigned products and services. Customers would have 24-hour graphical-interface access to their accounts and appreciate that the bank is doing something to make banking easier for them. Online banking software allows the bank to package together outsourced products and provide customers with an integrated snapshot of their financial assets and activity. Internet presence allows banks to extend their geographic reach and penetration without costly expansion.

This paper deals with the development of the Home Banking Solution by Citibank India and identifies areas where further enhancements could take place in the future to establish itself as a market leader in online banking.

The project was titled ' Enhancements in Home Banking ' and the duration was from 02 May 1998 to 01 July 1998. The project involved the performance of the following activities.

• Understanding the architecture & functionalities of the system

• Identifying future enhancements & issues of concern

• Designing prototype screens for proposed enhancements and online User Guide

• Documentation- functional specifications of the proposed system

• Coordination of activities between team members

The arrival of the internet has seen a rapid growth in the number of computer owning households all over the world. It is estimated that there are 40 million users over the internet world wide and growing rapidly. The population of the US web users grew from 1.6 million users to over 8 million users from last year to this year. With PC prices dropping the world over, more and more people are getting connected to the net it would not be too long before the internet is as common to modern day living as say a television is today. One (probably highly optimistic) survey predicted that in 10 years time the number of internet connections would outnumber the number of human beings on this planet.

Internet in India was established 10 years ago as ERNET. Currently ERNET operates many nodes and has a 64kbps link to USA via Mumbai. All major nodes of ERNET are connected using 9600 bits leased lines. These lines are being upgraded to 64 kbps links. International access is provided over a 64 kbps leased line from NCST Mumbai to USA. In August 1995, VSNL launched the Gateway Internet access Service in the country and has 6 internet nodes set up at Mumbai, Delhi, Chennai, Calcutta, Bangalore and Pune. In addition VSNL also has access nodes at Ernakulum, Cochin, Ahemdabad, Dehradun and Arvi and in co-ordination with DOT (Dept. of Telecom) launched Internet Services at Lucknow, Hyderabad, Kanpur, Chandigarh, Jaipur, Patna, Aurangabad, Gwalior, Goa, Pondicherry, Trivendrum, Mysore and Guwahati. The DOT also has a wide spread network in India called the I-NET, which has direct connectivity to each GIAS node. One can access GIAS from 99 cities in India by this means.

However the fact remains that the Internet Service is weak (and expensive) as compared to the developed nations like the US or Western Europe. VSNL (Videsh Sanchar Nigam Ltd. is the sole Internet Service provider in India and the service provided by it is restricted only to big cities and the metros. The Indian personal computer market is marked by a large number of low end PCs (486 machines with 4 MB RAM) which may not support higher level applications and cause poor response time. The only bank (other than Citibank) offering internet service at the time of writing this report is ICICI (Infinity). However Infinity is restricted mostly viewing account balances and activities and as of now supports no transfer of funds ( not even account to account transfers - though it is a planned enhancement).

In this scenario, Citibank India has decided to go in for a relatively low key entry into the online banking segment by launching it’s PC Banking Solution (referred henceforth as Citi Direct) for it’s staff in Madras and certain corporate customers in Bangalore. The bank has also made arrangements to enable these corporate customers (also called the NMB or New Millenium Banking customers) to access the CitiDirect Software through public places like the Cybercafes in Bangalore. The PC banking version of CitiDirect or ‘Home-banking’ is based on dial up through dedicated lines, the front end being a GUI mask incorporated using the C language and the back-end is Oracle which is the same as that for existing CASST (Customer Activities Self Service Terminal / IVR (Interactive Voice Recording) systems.

Internet Solution, as of today, is considered for Non Resident Indians in US who would need to carry out his banking back home like booking deposits, making payments through his/her accounts in India. However due to the nature of some of the transactions involved ( forex transfers) there would be legal considerations (RBI guidelines) to be taken into account and unlike PC Banking for domestic customers these transactions cannot be on a real time basis. The transactions carried out by the customer would be stored in terms of flat files at the application server side which in turn would generate a mail ( MAGMA) which would be processed by Citibank Staff at a later instance and the transactions would actually be carried out then.

The reasons for launching the internet version to the NR customer in the US are obvious. There has been a huge influx of Indian Software professionals into the US in recent times ( almost 80% of the H1 visas issued annually - 65,000 and a proposed increase to 1,25,000 are consumed by the Indians and this figure is growing). There is a requirement for a facility for these customers through which they would be able to perform their banking back home and internet banking is the ideal solution. Moreover these techno savvy software professionals are extremely computer friendly and have access to the internet from either office or home. Also the Internet service in the US is quite reliable and suited to internet banking with virtually every major bank in the US having an internet offering for it’s customers.

All in all, Citibank has been proactive in judging the market needs and fully justified in developing it’s online banking solution for it’s customers. However the question remains whether this product is being positioned as it should be? Also can there be any kind of enhancements effected through which this product can be made more popular with the customers. The answers to these questions are presented in the later parts of this report.

There are two versions of the homebanking system Citibank India has developed. The PC banking version (which has been launched for corporates like Cocil and Nike at Bangalore and can be accessed even from several cybercafes) and the internet banking version ( to be launched in the near future for the NR customer in the US)

The following are the major differences between the two versions.

From my study, I concluded that Citibank India is stressing on Internet / PC banking as a cost effective substitute to it’s existing systems like CASST, IVR, Citiphones,etc. The idea behind launching this product is to target the masses by providing facilities that are available on the existing systems like CASST and IVR on the PC, at the same time incurring no great cost to itself. Citibank is seriously considering approaching STD booth owners in the future by offering them soft loans inorder to install CitiDirect, so that the customer can use this service even if he/she does not have access to a PC. The launch of the PC Banking version at the Cybercafes in Bangalore is a clear indication of how Citibank plans to proceed on this front. Just how cost effective is the Online Banking Solution?

The following figure shows the overall cost incurred per transaction against the mode of transaction used. These figures apply to the banking industry worldwide and not to Citibank in specific.

The figure shows how much the home banking proposition (in specific - internet banking) would be to the bank. The figures are also dependent on the number of expected users and the capital costs incurred. Since there is no maintenance cost per se in internet banking, nor is there any distribution costs involved ( the user uses his own PC and internet connection) the overall cost per transaction reduces in the case of internet banking.

Banks spend less than $25,000 to establish their web sites, and spend less than $25,000 a year to maintain them. "When compared with the $1.5 to $2 million required to set up a traditional branch and the $350-$500K/year required to operate it, internet banking clearly represents an extremely cost-effective alternative to traditional branch banking networks. With its low-cost structure, attractive demographics, and innovative services, the internet is poised to present a real challenge to traditional forms of banking.

However it is not only the cost angle that gives online banking the cutting edge over the other systems. Infact it is very easy to fall into the trap of offering internet banking to the customers keeping only the cost advantage in mind and losing out on the other advantages. By these other advantages I mean the ability of the internet to interact with the customer, suit his/her needs through customisation and offering the facility through which the customer can not only communicate with the bank but also fellow customers and also get expert advise on matters concerning his banking needs.

Truly, what differentiates the internet from other systems like Citiphones and IVR is not only the cost effectiveness but the ability to let the customer bank the way he/she wants to bank. The customer can easily customise his application to suit his/her preferences. Obviously every customer would have a different preference as compared to any other. e.g Some customers would prefer seeing their date and amount formats in a particular way, others would prefer referring to their accounts not in terms of mere numbers but in terms of nicknames. Current Account no 11-22-89098991 could now be referred to by the customer as "Account from which to pay monthly rent to the landlord" as he does his/her banking over the net. This is the true reason why online banking can be termed as revolutionary and not only because it is very cost effective to the bank or easily accessible to the customer.

This section is not displayed as it contains sensitive information .

As is shown in the diagram, the internet banking facility is to be made available to the US NRI customers who would access the HBS server over the internet from the US. The customer would connect to the internet via the local service provider (eg. COMPUSERVE) and go to the CITIBANK home page on the World Wide Web. From here he would click on the CITIBANK INDIA icon to get access to the CITIBANK India Home Page which resides on the web server at New York. There would exist a firewall which would validate the user depending on his IP address as to whether he is entering through the proper channel or not. The customer then would choose the Direct Access option to gain access to internet banking.

Once the customer is requested for Direct Access he is routed via Singapore over 64 kbps dedicated lines through the (GRN) Global Router Network to the Home Banking Server in India at Madras (where he would be validated depending on his HPIN (Homebanking Personal Identification Number) and password by the SMS ( Security Management Server). In internet banking, the communication between the client and the Application server is through HTML instructions and Java scripts. The communication between the host and the APS is the same as in PC banking through MLI packets.

As far as PC Banking is concerned, this facility is available to the Indian customers i.e. Corporate Customers / Citibank Staff over Dial Up / XPAD respectively. In case of the dial-up version (for corporate customers) the customer connects to the Global Telecommunication Network ( GTN) via zetapad (Packet Assembler Disassembler with modems connected on either side to route the customer depending on whether he/she is a first time user or not ). For first time users, there would be an automatic download initiated to download the requisite software on the customer’s hard drive. Non first time users would be automatically connected to the home banking server. Incase of Citibank staff, their request would directly land on the GTN through XPAD to which they have access to. ‘Xyplex’ converts X.25 communications into TCP-IP and vice-versa. The HBS ( Homebanking Server) communicates with the APS (Application Server) over unix domain based escape sequences. The APS in turn communicates with the HOST through MLI (message layer interface) packets.

The communication flow and the protocols involved in internet banking and PC banking can be depicted as follows :

• See Account Balance -

• Multi Deposit Booking

• Portfolio Details

Citibank India is the only bank in India which offers some form of online transactions in it’s online offering. The current version includes the facility to pay the credit card bills, carry out account to account transfers between linked accounts and request for draft payment (self as well as third party). Future enhancements would include payments to third parties and maintenance of a payee list for the customer. (See Functional Enhancements for further details.) The following are the functionalities being offered currently.

• Payment Received

• Account to Account Transfer

• Draft Request

• Mail Box

• Cheque Book Request

• Deposit Slip Request

• Change HPIN

• Credit Line Increase

• Second Card Request

Allows for issue of a second card provided the customer is eligible for it.

• How To Use CitiDirect

• What’s New

• Interest Rates

The first phase of internet banking launch would be for the Non Resident Indians customers in the United States subject to a satisfactory ethical hacking test carried out by CISO ( ). The idea behind launching the Internet banking facility to the NR customer is to provide an easy method of managing funds from his/her residence in the US.. Subsequently it would be launched for the domestic customers depending on the market feasibility conditions and success of the NR launch.

The NR version of Internet Banking would differ from it’s domestic counterpart as well as it’s PC Banking version in the sense that it would be on a non real time basis as with NR accounts foreign currency accounts come into the picture. On identifying the customer as an NR customer the system would not allow any insert/delete/updates at the host level. Whenever a transaction is carried out by the customer (e.g an account to account transfer) a flat file would be generated at the Application Server Level which would be converted into a mail format and sent to the Citibank Operator over MAGMA (Citibank’s internal e-mail system). The transaction would be actually carried out by the operator keeping in mind the statutory requirements for foreign exchange transfers. At the time of the transaction by the customer, he/she would be shown a pop up screen indicating the details of the transaction and asking for a confirmation. Post confirmation the customer would be conveyed the number of days it would take for his transaction to be processed.

• See Account Balance

• See Account Activity

• See Currency Details

• See Holder Details

• Deposit Booking

• Portfolio Details

• Payment Received

• Account to Account Transfer

• Draft Request

• Withdraw from deposit

• Redeem Mutual Fund

• Cheque Book Request

• Deposit Slip Request

• Stop Payment Request

• Change HPIN

• How To Use CitiDirect

• What’s New

• Interest Rates

• FX Rates

Provides the current exchange rate between major international currencies.

As mentioned earlier, Citibank plans to allow it’s online banking facility to be used from public places like STD booths, Cybercafes, etc. Apart from the security issues (keyboard hacking, eavesdropping, etc) that arise from this plan, Citibank would also have to forego giving the customer the option to customise his application as multiple users would use the same PC to carry out their banking. The other option would be store customer preferences at the server level rather than the client PC . But this would mean a loss in performance and response time would increase.

From the study which I conducted, I concluded that Citibank should reconsider it’s strategy of targeting customers through public channels like STD booths, Cybercafes, etc. The reasons are manifold.

Firstly PC banking all over the world is regarded as personal banking. It is to be done using a personal computer. In the developed countries most of the people using online banking have a PC at home. The rest use their own PC at the office. It is safe for the banks in these countries to assume that the security of the customer’s PC is the responsiblity of the customer. ( Chase Manhattan’s internet offering goes to the extent of storing the customer’s password in plain text format at the PC level.)

Secondly, internet banking is the banking of the future. In a few years time almost all the major banks would go online thereby increasing competition. Apart from the functionalities, those banks which offer greater flexibility to the customer in terms of customising the application to suit his/her needs would be the most successful. If Citibank continues developing the application with the aim of offering it through public outlets and merely transposing existing physical products and processes over the net it would find it difficult to modify it later inorder to deliver true choice to the customer.

Thirdly, even if the homebanking facility is provided at public places like STD booths or Cybercafes, the question remains as to how many people would actually make use of this from these places. These logical assumption to make is that only those people who do not have access to a PC/ Modem and the internet would make use of this facility from public places. However, if they do not have access to a computer they would also not be computer friendly and would not be too confident / comfortable with the idea of handling their finances through the computer. Such customers would prefer using the existing CASST/ Telephonic systems to do their banking since all the transactions using the PC could be carried out using these systems.

The following are the enhancements suggested by me which could be given a thought and possibly implemented in the future. These enhancements have also been graded in terms of their complexity as follows.

Simple - Easy to implement in very near future without to great an impact on the existing system

Moderate - Implementation would cause some of the existing system to have to be modified.

Complex - A major change would have to be effected on the existing system inorder to implement

Whenever the customer logs into CitiDirect he/she should be presented with a dialog box showing when he/she had logged in the last time around. This would help the customer keep a track of his usage of CitiDirect as well as aid in maintaining security as any unauthorized access would be brought to notice of the customer if he/she has maintained a note of the number or time and date of the previous login session.

As mentioned earlier, the chief feature that distinguishes internet banking from the other systems is that it could be used by the customer to derive greater flexibility inorder to suit the application to the customer's own preference. Again the question is can such a customisation take place if multiple users are using the same PC to login to CitiDirect, as in public places like Cybercafes? In such a case the customer preferences would have to be maintained at the server level rather than at the PC (client level) which was cause a drastic reduction in performance as well as would be impractical. The customer preferences should be stored at the PC level thereby indicating that multiple users from one PC would not be able to customise their application to their convenience and would have to indicate their preferences each time they login if they wished to do so. Assuming that customer preferences would be stored at the PC level (through cookies, etc) the level of complexity of these enhancements would be from simple to moderate. A few such enhancements could be

• Specifying Favourites ( Simple)

• Setting Preferences ( Simple)

• Option of viewing / not viewing images ( Simple)

• Use of Cookies (Simple)

The customer should have the facility to download the information presented on the screen into a pre-specified format like an excel spreadsheet or in the format specified in major financial planning software (e.g Microsoft Money). The customer should also have the option of printing the screens to a file or a printer.

The customer should be able to view a summary of all the transactions/activities performed during the current session as well as in a previous session (upto a particular date, e.g upto one month before) in a summary table. This would enable the customer to review and confirm whatever actions he/she took during that particular session of CitiDirect. In addition to an option provided for displaying the summary screen, a confirmation pop up asking the customer whether he/she would like to view the summary screen for the transactions carried out in the current session should be shown when the customer requests for a logout from the current session. The transaction log should have the facility through which the customer can see his or transactions sorted date-wise or amount-wise.

Internet banking in India will truly take off once this facility is included in the CitiDirect. As of now this is a proposed enhancement and development on this module is planned to commence soon.

Through this facility, the customer would be able to issue cheques through his accounts to a third party and pay his/her bills online. Bill payments could be made to any of the payees in the customer's payee list. The bill payments facility should provide for the option of making one time as well as recurring payments ( e.g every week or every month, etc.). There should also be a facility for modifying / deleting any future payments. In addition, the customer should be able to make express payments by selecting two or more payees from his payee list and indicating the amounts to be paid to each and accounts from which the payments are to be made. Incase the payee has an account with Citibank, the funds transfer can be online else through cheques sent by mail.

A payee list implies a list of all those people the customer would make payments through his accounts using CitiDirect. The payee list should ideally reside on the client side and could be modified by the customer. This would include adding new payees to the list, deleting payees from the list, clubbing the payees under their categories (education, electricity, rent, etc.) and sorting them alphabetically.

During the course of my project I developed an online user guide for the internet banking application. This guide also contains a glossary of financial terms and other features which help the customer to use CitiDirect in the most convenient fashion. A review of this software should be conducted and this guide should be implemented in the final product.

All the banks offering online banking have a demonstration on the internet. This provides the customer the chance to get accustomed to online banking before actually putting it to use to carry out day to day business. The online demo should be made as interactive as possible, keeping in mind that in the future when all the banks are online, the customer would use the demo to select the bank he wants to do business with.

The internet banking application could be used to simulate future account balances using existing balances and interest rates and present the modeled values to the customer. The customer could also simulate the returns on various portfolio investments and select the optimum solution before actually investing. The customer having specified the monthly payments could simulate the end of the month balance before any payments have actually taken place to plan for future.

Apart from prepayment simulation the customer could also specify the budgeted amount to be allowed to be withdrawn from an account in a particular month. The customer could be warned that he/she is exceeding the budget in the event of overdraft. Similarly a comparison of budgeted versus actual expenditure incurred during a month could be presented to the customer.

Apart from an online handling e-mail service within the application, the 24 hr. customer support cell should answer queries from prospective customers and resolve them through script based Q & A sessions. The cell should also monitor end to end connectivity and response time for transactions inorder to identify bottlenecks and issues of concern. In the future this customer support cell could be enhanced to provide expert guidance to specific customer queries as well as provide a facility for a bulletin board and a chat site through which customers can interact with Citibank as well as with one another.

Given the current trend in the use of the internet these long term enhancements may have to be implemented sooner than expected. Almost anything and every transaction in the future would be done over the net. The definition of banks as we know them today is bound to change with internet banking coming of age. From opening an account to eventually closing it - everything could be done online. Apart from merely providing functionalities to carry out transactions Citibank should gear up for providing functionalities like

• Providing online quotes and accepting buy/sell orders from the customer
• Provide investment guidance to maximise returns for the customer by telling him whether he could transfer money from account A to B to maximise returns and so on.
• Trying to make CitiDirect the customer's financial planning partner by giving tips on spending, saving, investing, buying, borrowing by analysing the customer's previous banking pattern. ( data mining)
• Providing ideas on travel, dining, entertainment, latest product launches, etc.

At present, the NR version of internet banking is on a non real time basis with the customer being shown a confirmation screen after he/she carries out a transaction, indicating that his/her transaction would be processed and carried out after ‘n’ number of business days. The customer would only see the result of the transaction after it has been actually processed. E.g if the customer were to transfer 100 USD from his deposit account to his domestic savings account (INR) and his balance prior to this transaction in both the accounts was 10000 USD and 5000 USD (equivalent) then the customer would continue to see these figures in his account summary until the transaction is actually carried out at the database level which could take upto a few days atleast. Although the transactions happen on a non real time basis the customer could be shown the updated information which could be dynamically altered at an additional intermediate level.

The functional block diagram with an additional interface layer in between would look like:

The interface database design could be streamlined as much as possible by creating a record of only those fields which would affect the host tables once the transaction is actually processed . e.g In the above case if the customer transfers 100USD from his deposit account to his domestic savings account then this figure of 100USD could be stored in the interface layer database in two fields. One corresponding to the deposit account (with a -ve sign indicating a debit) and the other corresponding to the domestic savings account ( with a +ve sign indicating a credit). Subsequently when the customer queries on his balances, these values would be added to the values as retrieved from the host side databases. Thus, the customer would be able to get an updated picture of his holdings although the transaction may not have been actually processed at the host side. When the transaction is actually processed at the back end the corresponding fields at the intermediate level database would be nullified.

In addition to providing an updated picture to the customer, such an interface would also help in providing validation checks inorder to prevent the customer from carrying out transactions which would otherwise be invalid. e.g a request to withdraw more than the existing balance would result in a negative difference in the balance query thereby indicating that this transaction would not be carried out.

The existing PC banking version is based on a thin client application. This means that the software residing on the client side performs the minimal of validations and the bulk of the information processing is done at the application server level. The communication between the Application Server (APS) and the Client is via the Home Banking Server (HBS) in terms of Escape Sequences which both can understand. The APS dictates to the front end the screens to be shown, the information to be displayed in those screens (as retrieved from the host) among other things. The front end is a type of browser, which interprets the communication from the APS. As with any other browser, the front end sends the user inputs to the APS in terms of Escape Sequences to which the APS decides how to respond. The main drawback in the PC Banking application is that even if there is a small change/enhancement effected on the client application then each and every customer who uses the CitiDirect PC Banking Application would first have to download the new version of the client application onto his local drive and then use it. Although there is a facility by which the application is automatically incrementally downloaded incase there is a version mismatch of the client application with the latest version as residing on the download server, yet frequent unexpected downloads could cause the customer to be dissuaded from using CitiDirect.

If PC banking were to be converted into a browser based application there would have to be no special software to be provided by Citibank to the customer. All the customer would need is a standard browser readily available freely. The browser would interpret HTML instructions from the APS and would also support enhanced features like frames, tables, etc. The greatest advantage would be that the customer would not have to download any software from Citibank's Servers

on any occasion.

Overview :

How safe is operating a virtual bank account from home? If one can move one’s money around (the world) sitting at one’s desktop, someone can also force somebody to do the same. For example, a robber forces you at a gun point to transfer funds into an account of his choice, which can then be siphoned away in seconds without leaving a trace. Another example can be of an accomplice withdrawing cash from his account at an ATM. There is no time for him to raise an alarm; even if he does and the person is nabbed, there is no evidence against him. This lack of evidence is the crucial difference between a conventional holdup and a 'virtual holdup'. The latter can occur at millions of locations and it would be impossible to track them, let alone policing them. As here, almost every home and office becomes a potential point for a virtual holdup in the case of internet banking.

Moreover use of the homebanking application from public places where multiple customers would use the same PC for getting access poses another security problem. A virus program could be written and stored in PCs in such places that could capture keystrokes thereby capturing user ids and passwords ( HPIN). The result of this could be truly devastating.

From the study which I conducted which involved visiting various online banks and studying their internet banking applications I came to the conclusion that the standard security architecture employed by most banks is the 128-bit SSL protocol based security. At the time of authoring this report, Citibank India has in place a DES/ Triple DES encryption

The proposed security architecture involves use of SSL protocol using 128 bit encryption which is deemed unbreakable for all practical purposes all over the world. In addition to password protection, SSL would also provide server authentication using digital certification. SSL uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key and a private key. The public key is made public by distributing it widely but the private key is never distributed; it is always kept secret.

Data that is encrypted using the private key can be decrypted only with the public key. Conversely data encrypted using the public key can be decrypted only with the private key.

This asymmetry is the property that makes public key cryptography so useful as it allows for the perfect mechanism for mutual authentication. Customers can be sure that they are transmitting information to the bank and not a malicious third party. At the same time, the bank is assured that the data it receives is from an authorised customer and not an intruder requesting for a break in.

In order to maintain the highest standards of security Citibank India has to provide encryption using this latest technology which includes 128 bit encryption and SSL (Secure Socket Layer) enabling.

A web server which is capable of handling SSL communication (along with digital certification) would be required. However this would mean the listener process running behind the web server. i.e the web server would first decrypt the SSL enabled packets received from the client. Alternatively a plug in SSL module on the listener process itself would enable the listener process to decrypt the SSL encrypted packets.

Another impact which could result on implementation of 128 bit encryption is that there could be a performance deterioration. The difference between 40 bit and 128 bit encryption is one of capability. 128 bit encryption is exponentially more powerful than 40 bit encryption . 40-bit (international-grade) encryption means there are (2)^40 possible keys that could fit into the lock that could allow a login to CitiDirect ; but only one that works for each Online Banking session. So there are many billions of possible keys that could potentially get to one’s account information - but only one that works each time one banks online. However encryption using 128-bit key would also entail greater processing time which would result in a compensatory performance deterioration.

A third impact would be that the customer would need to have a 128-bit SSL enabled browser on his PC inorder to avail of the internet banking facility.

However in light of the major security concerns over the internet (every internet user is a potential hacker) the highest possible encryption standards would have to be employed. 128-bit encryption means there are (2)^128 possible keys that could fit into the lock that could allow a login to CitiDirect, but only one that works for each online banking session. So a hacker attempting to get access to CitiDirect would need to use a computer with exponentially more processing power than for 40-bit encryption to find the correct key. "128" and "40" bit encryption refer to the size of the key used to encrypt the message. Roughly speaking, 128-bit encryption is 309,485,009,821,345,068,724,781,056 times stronger than 40-bit encryption. 40-bit encryption is not considered "strong" security in the cryptographic community and has been cracked recently.. Even accounting for Moore's Law, which states that computing power doubles about every 18 months, 128-bit encryption represents a very strong method of encryption for the foreseeable future.

Both the bank and the customer have public and private keys of their own. The public key is a distributed number where as the private key is known only to the owner. In addition a digital certificate is provided to each authorised user ( which the user would have to store at the PC level) by the bank. The digital certificate issued by the bank contains the bank’s public key which is used by the customer’s browser to decrypt the messages sent from the bank’s server which have been encrypted using the bank’s private key.

To begin a transaction, the customer would use his or her browser to send a secure message via SSL to the bank, requesting for a login. This message would be encrypted using the bank’s public key stored in the digital certificate issued to the customer. Once the bank receives this message, it can decrypt it using it’s private key. On receiving this login request the bank would send a message encrypted using it’s private key to the customer’s IP address. Now only the customer would be able to decrypt this message . Once authentication is achieved a random session is generated and used for further communication. Random session key is a symmetric key (present at both client and bank) and encryption decryption is faster.

The communication process between the customer and the bank using these asymmetric pair of keys can be depicted as follows.

Citibank has indeed been proactive in anticipating the market needs of the future by launching it's online banking product in India. However, the development of this product should also be done keeping in mind the requirements of the future customer.

The focus should be on the requirements of the future customer rather than on merely transposing existing CASST / IVR / Citiphone systems onto the internet. Online banking should be looked upon as an entirely different market segment and not a mere cost effective substitute to existing systems.

The future customer would like to know much more than mere account balances over the net. He would want to get online information on whether he has too much money in one account and should he move it to some other account to maximise returns, on whether he should invest in a particular mutual fund given his risk preference, set up budgets for the future and gain expert advise on the bank over certain matters.

The customer would want to set his own preferences so that he is comfortable with the application and it communicates with him the way he wants it to.

All this and much more can be achieved over the internet. The idea is to start developing the application in that direction since it's inception itself. Some of the suggested enhancements in this report are very easy to implement and could provide the necessary impetus in that direction.

The internet is fast growing and with the improvement of security, bandwidth and other requisite infrastructure would soon become an integral part of the Indian Upper Middle Class. Every bank is bound to go online. What would ensure Citibank's success is it's strong customer focus and ability to give the customer what he wants. Today the customer wants to bank the way he wants. Internet banking offers the customer the opportunity to be his own banker and his PC - his relationship manager.

( Should be updated based on reader response and queries)

Cookies - Text files Set by the Web Server storing information which can be understood only by the web server that set it.

DES - Data Encryption Standards are a set of algorithms used to encrypt data over the internet.

Digital Certificate - A certificate is an tamper-resistant file that identifies the individual to whom it is issued and that provides you with tools so you can better secure communications with others. A certificate's contents depend on level of certificate it is. A basic certificate contains:

1. The name the owner gave the signing authority.
1. A digital signature unique to the owner.
1. A public key to match the owner's private key
1. A signature from the signing authority that issued the certificate.

Private Key - A private key is an decryption code, an SSL enabled browser generates when you obtain a certificate from an certificate issuer (signing authority). The browser stores your private key in your key database at the PC level and uses it to decrypt information encrypted with your public key.

Public Key - A public key is an encryption code your SSL enabled browser generates and stores in your key database and includes it with your digital signature when you sign an outgoing message or some other object you can sign and send. Whomever receives and stores your public key can encrypt and send information to you.

TCP-IP - Transmission Control Protocol/ Internet Protocol is the basic communication language or protocol of the internet. TCP-IP is a two layered program. The higher layer Transmission Control Protocol manages the assembling of a message or files into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. The lower layer Internet Protocol handles the address part of each packet so that it gets to the right destination. Each gateway on this network checks this address to see where to forward the message. Even though some packets from the same message are routed differently than others, they’ll be reassembled at the destination.

TCP-IP uses the client server model of communication in which a computer user (client) requests for and is provided a service (such as sending a web page) by another computer (a server) in the network. Even higher application protocols use TCP/IP to get to the internet including World Wide Web’s HTTP, the FTP, Telnet, SMTP, etc. Personal computer users get to the internet through the Serial Line Internet Protocol (SLIP)or PPP(Point to Point Protocol).

X.25 - Communication protocol used at the host level at Citibank.

X-PAD - Packet Assembler Disassembler which aids Citibank staff to connect to the GTN.

Xyplex - Translator to convert X.25 protocol into TCP/IP and vice versa.

ZETAPAD - A PAD (Packet Assembler Disassembler) which is used for conversion of serial line protocol (modem communication) into X.25 protcol and routing request to the Home Banking Server.

• Existing documentation on the Home Banking System As maintained by Nucleus Inc. and Byzan Pvt. Systems Ltd.
• Online demos of Internet Banking of a multitude of banks including Wells-Fargo, Citibank- US, Chase Manhattan, Scotia Bank, Texas Bank, ICICI, etc
• Ernst & Young Report (1997) - Internet Banking in Europe
• Reports on Internet Banking Published on the site www.internet-banking.com
• E-mail communications with representatives of several banks regarding queries on internet banking.
• Security Considerations in Internet Banking - John Baroudi, Richard Young