Mumbai Mirror's 10th August edition has a cover page article that screamed about an ATM that eats up the customer's cash. On reading further, apparently someone had tinkered with the ATM machine such that it would debit a higher amount than what was actually withdrawn. In one of the cases mentioned, the customer withdrew Rs. 10,000 but was debited for Rs. 40,000. Another customer made a transaction of Rs. 50,000 but was debited for Rs. 200,000 thousand.
The article has generated a decent amount of comments on how ATMs are tinkered with.
In all this melee, there was something the bank, in this case Axis Bank, could have done. I am not going to lecture on how ATMs can be made more secured. That is not my area of expertise.
In a career spanning close to two decades, I have delivered multiple projects. As with every software project, the User Acceptance Test phase is the final stage wherein the end users test the software before signing it off for deployment. During every UAT, I always set some ground rules:
1. It is a system made by man and can definitely be broken by man.
2. If your objective is to break the system, you will definitely succeed and it is not a commendable thing to achieve.
I use the same rules for this scenario. The ATM has been designed by man and so can be broken by man. There is a manual process involved where access it permitted to a person and thus opens environment for tinkering.
In line with CRM, the question is what could the Bank have done?
In both cases mentioned, the customer was the one to complain to the bank. No doubt the bank would have refunded the money to the customer. But what about the customer who did not get the SMS message or did not check his account soon enough?
This is a perfect case for event or transaction based analysis. In both scenarios, withdrawal of such a large amount may not have been a regular transaction for the customer. In fact for the second case, withdrawal of Rs. 200,000 may have been a first.
The bank could have analysed the debits for each customer and been able to identify the unusual withdrawal by the customer. Based on past behaviour each customer may have a different threshold for identifying an unusual behaviour. The moment this unusal behaviour was identified, the bank should call the customer and confirm the withdrawal. When the customer denies the transaction, it would point to possible fraud. The bank would have various options now:
-- deactivate the debit card
-- noticing the ATM machine to be the same one, decommission it immediately so more customers do not face the trouble.
From a customer perpsective, the bank could have assured the customer that the transactions will be actively investigated and the amount credited back to the account if valid.
The benefit to the bank was that the customer would be comfortable thinking that the bank is looking into his case as well as the bank could have limited the customers exposed to the fraudulent ATM. And more important, imagine if the press article said -- that the bank identified the fraud and quickly protected more customers from facing the same by blocking the ATM. Now that article would be "priceless".
Thursday, August 11, 2011
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment