Information security of bank non-cash payments. Part 1 - Economic Foundations

What research


Information security of banks is one of the most interesting tasks to ensure practical security. The large amounts of money that banks have, the widespread distribution of online technologies and Internet payments make banks a desirable prey for the bad guys from the dark side. And since there are problems, there must be solutions.

Presents to your attention the results of a study on information security at one of the most vulnerable points of the bank - the process of making cashless payments.
')
The study was quite extensive, so it will be published in parts. And we will start with the first part, which will tell about what non-cash payments are from an economic point of view.

Cash vs vs. cashless payments

Historically, the first types of payments were cash payments. The buyer gave the banknotes to the seller, and in return received the product or service.


Pic1

Let us analyze the pros and cons of this form of payment from the point of view of the buyer and seller, as well as from the point of view of the economy of the state as a whole.

Analysis of cash payments from the point of view of the seller and the buyer
pros	Minuses
Provides the buyer and seller maximum freedom and independence from third parties. The main thing is that bank notes should be well protected from counterfeit, and there should be a sufficient amount of them.	Significant inconvenience, and sometimes the impossibility of making purchases without personal contact of settlement participants. Securing the safekeeping of cash.

Analysis of cash payments from the point of view of the state
pros	Minuses
The historically established form of payment, to which the population is accustomed.	With cash payments, the money “settles” with the sellers and stops “working” until the seller makes a purchase on them.
	The state bears the infrastructure costs for the production of banknotes, their logistics and disposal.
	Cash transactions are almost not controlled by the fiscal authorities (tax inspectorate) and create conditions for the development of the shadow economy and tax evasion.

Thus, it is clear that the settlement of cash for the state is an evil that it would gladly ban if it did not provoke a sharp protest of the population. And if it is impossible to completely ban, then apply restrictive measures.

In Russia, in particular, legislatively ( GK RF Article 861 , Bank of Russia Ordinance 3073-U of 10/07/2013 ) found that only citizens and only for personal purposes can use cash without restrictions, the rest (SP, LE, .. .) the use of cash is strictly limited.

Non-cash payments, in contrast to cash settlements, imply the presence of a third trusted party between the seller and the buyer, an intermediary who, on behalf of the parties, performs settlements between them.

Cryptocurrencies, such as Bitcoin, Ethereum and others, allow payments to be made without intermediaries (not counting miners), but so far the status of these systems is not legally defined, and their description is beyond the scope of this article. Here we will consider only “classic” non-cash payments, where credit organizations (banks) act as the third trusted party.

Bank accounts and non-cash money

To make non-cash payments using cash in the form of non-cash. Consider the mechanisms of converting money from cash to non-cash form and back.

It all starts with the fact that a client, whether an individual, a legal entity or an individual entrepreneur, enters into a contract with a credit institution that has a Bank of Russia license for banking activities.

The client transfers cash to the bank, the bank accepts them and reflects them on a bank account specially instituted for the account of settlements with the client. If a client puts money in the bank, then the balance on this account increases, if it withdraws, it decreases.

After the client has deposited cash in the bank, it turns into non-cash money, which, if greatly simplified, does not even money, but the bank's obligations to make certain services for the client, which include cash withdrawal to the client, money transfer, and so on .

In addition to the receipt and withdrawal of cash, the client’s bank account may increase and decrease due to the receipt of non-cash transfers from third parties and making transfers to third parties, respectively. It is important to note that non-cash money is not the obligations of the entire banking system, but the obligations of the particular bank where the corresponding bank account is opened. This awareness comes especially brightly if the bank servicing this account goes bankrupt. Then the money (the account balance) seems to be there, but it is impossible to use it.

Bank accounts are different. Clients - individuals - open current or special card accounts in the bank. Clients - legal entities - open bank accounts with banks. Banks for settlements open correspondent accounts with other banks. Without going into details, the functioning of all these accounts looks approximately the same: an increase in the account balance leads to an increase in the obligations of the bank in which it is opened, and vice versa, a decrease in the balance reduces the obligations of the bank. For simplicity, in the future we will consider only the work on settlement and correspondent accounts.

At this stage, the bank for us will consist of two main parts:

1. the registry of bank accounts containing the values ​​of customer account balances;
2. Bank funds, consisting of all customers' money and the tank’s own funds.

Pic2

One of the main sources of income of banks is lending. The bank transfers the money for temporary use to the client, and he returns it with interest. To provide this type of business, the bank needs money that it will lend. And then just come into the game customer money stored in accounts in a cashless form.

The basic idea is that the bank never contains all the clients' money. Instead, the bank keeps a statistical record of customers' activities and “very accurately guesses” how much money they may need for current settlements. The rest of the money allowed by the bank for lending.

Payment mechanisms

Let us consider how a cashless payment is made between the payer and the recipient (hereinafter, we will call them clients) serviced in the same bank.

Transaction 1 .
Client A makes a transfer to Client B. For its execution, the Bank reduces the balance of funds in the settlement account of Client A by the transfer amount and increases the balance in the account of Client B by the same amount. The total amount of money in the bank does not change.

When calculating in cash, payments are always of the same type: the payer, at will, transfers the required amount of money to the recipient. When using non-cash payments, settlement schemes may be different:

1. the payer can, at his own will, order the bank to make a payment to the beneficiary at the expense of funds in his bank account - settlement of payment orders ;
2. The beneficiary may request from the bank where the payer’s account is opened to make a payment to his address if there is an appropriate agreement with the payer or in cases stipulated by law. In this case, the payment can be made with the acceptance of the payer - settlement of payment claims, or, without acceptance, settlement of collection instructions ;
3. the payer and the beneficiary may agree that the bank will make a payment to the beneficiary subject to the provision of the latest agreed documents to the bank confirming the fact of the transaction - settlement of letters of credit ;
4. and other forms that can be found in paragraph 1.1 of the Bank of Russia Regulation No. 383-P, dated June 19, 2012, “On the Rules for Transferring Funds”

The most common form of payment is the settlement of payment orders.

Regardless of the used forms of payment, the Bank reports to the client for all operations performed on its account by submitting a special document - account statement .

The payment order and account statement are the main legally relevant documents used by the client and the bank for accounting purposes and for handling conflict situations in court.

It is important to note that if the client received a payment to the account, and he was reflected in the account statement , the bank does not have the right to return the payment to the sender, even if it was made by mistake or maliciously. Payment refund is possible only by agreement with the recipient or by court order. The maximum that a bank can do is, guided by the legislation on countering the legalization of criminal proceeds , to block funds in the recipient’s account.

Note
The Civil Code of the Russian Federation (Civil Code of the Russian Federation Article 1102. Obligation to return unjust enrichment ) instructs the recipient to return the money to the sender if those were sent not justified or in error.

Direct correspondent relations

Earlier, we looked at how the transfer takes place between customers served in the same bank. Now we will complicate the task and consider how payments are made between customers serviced in two different banks.

To conduct interbank settlements, banks must establish correspondent relations among themselves. The essence of this relationship is that one bank, in the diagram below (Fig. 3) is Bank 2 , becomes a Bank 1 client and opens a special bank account called a correspondent account. After opening the correspondent. Bank 2 accounts contribute a certain amount of money to it, a kind of cash buffer in the amount of which Bank 2 customers can send payments to Bank 1 customers.


Pic.3

To understand how this works, consider an example. Let Bank 2 placed on the correspondent. Bank account 1 , for example, 1 million rubles.

Transaction 2 .
Client B serviced at Bank 2 wants to send to Client A serviced at Bank 1 , for example, 500 thousand rubles. For this, he forms and transfers to Bank 2 a payment order in which he indicates Client A as the beneficiary, and 500 thousand rubles as sum of payment. Bank 2 , having received an order from Client B , sees that the beneficiary of the payment is Client A , served by the Bank 1 . Then Bank 2 transfers to Bank 1 an order to withdraw from its correspondent. accounts of 500 thousand rubles and credit them to the settlement account of Client A , and then Bank 2 reduces the balance on the settlement account of Client B by 500 thousand rubles.

Transaction 3 .
Now consider an example in which Client B forwards to the Client B 2 million rubles. For this, Client B sends the corresponding payment order to Bank 1 . Bank 1 debits from the current account of the Customer B 2 million rubles and credits them to the correspondent. Bank 2 account, after which it transfers to Bank 2 a payment order from Client B , upon receiving which Bank 2 increases the balance in Client C ’s current account by 2 million rubles.
After transactions 2 and 3 on the correspondent Bank 2 account will be 2.5 million rubles.

Transaction 4 .
What happens if Client B sends Client A 3 million rubles? Everything will be the same as when considering transactions 2 and 3, except that the payment will not be executed until Bank 2 increases the balance on the correspondent. account for the missing 500 thousand rubles.

Payment system of the Bank of Russia

The mechanism for making payments between two banks, which we have just considered, is simple, but has a significant drawback in terms of scalability. With a large number of banks, the installation and maintenance of correspondent relations of each bank with each is difficult to implement. Therefore, the main instrument for the implementation of interbank money transfers in the Russian Federation is the Bank of Russia payment system .


Pic.4

The main idea of ​​this payment system is that the Bank of Russia acts as a single point to which all banks are connected, and through which payments from one bank to another pass.

Each credit institution opens a correspondent account with the Bank of Russia when it registers and obtains a license to conduct banking activities.

In order to be able to distinguish one bank from another, they are assigned bank identification codes (BIC). The Bank of Russia regularly updates and publishes on its website a directory of bikov. Knowing the BIC, according to this directory, you can determine the number of the correspondent. bank accounts opened with the Bank of Russia. The totality of the BIC and the current account number uniquely identifies the customer’s current account within the entire payment system of the Russian Federation.

Let us consider how an interbank payment will be made using the payment system of the Bank of Russia. We take as the basis the interaction of customers and banks, illustrated in Fig.4.

Transaction 5 .
Client G makes a payment to Client B. To do this, he sends to his bank ( Bank 3 ), a payment order , in which he indicates Customer B as the payee.
Bank 3 , having received a payment order from Client G , sees that the payee ( Client B ) is not his client, and sends the payment order to the Bank of Russia .
The Bank of Russia reduces by the amount of payment the balance on the correspondent Bank 3 account and increases by the same amount the balance on the correspondent Bank 2 account (receiving bank). After that, the Bank of Russia sends a payment order to Bank 2 and sends a notification to the Bank 3 about the payment, which in turn reduces the balance on the current account of Client G.
Bank 2 , having received a notification from the Bank of Russia , increases the balance on the current account of Customer B. Both banks - Bank 2 and Bank 3 - reflect the cash flow on settlement accounts in statements and provide them to customers.

In the case of several cash flow options, such as, for example, between Client B and Client C in Fig. 4, the sending bank independently decides on the payment routing: using direct correspondents. relations or through the payment system of the Bank of Russia - depending on the parameters of the payment, its cost and other conditions.

Money transfers in the payment system of the Bank of Russia are carried out:

1. in real time using the bank electronic urgent payments service (BESP);
2. in the discrete mode using the mechanisms of intraregional electronic payments (VER) or interregional electronic calculations (MER).

Real-time payment processing is similar to using a taxi. The payment goes to the Bank of Russia and is immediately processed. In discrete mode, the processing of payments is similar to the transportation of passengers by bus. Payments are first accumulated, and then all are processed in a heap. During the trading day, the Bank of Russia performs several similar flights.

The schedule of flights taken in the Moscow region is published on the website of the Bank of Russia and consists of five flights:

Flight number	The period of acceptance of electronic documents	Period of processing electronic documents	The time of issuance of processing results
First flight	10:00 - 11:00	11:00 - 12:00	from 12:00
Second flight	11:15 - 14:00	14:00 - 15:00	from 15:00
Third flight	14:15 - 16:00	16:00 - 17:00	from 5 pm
Fourth flight	16:16 - 18:00	18:00 - 20:00	from 20:00
Final flight	19:00 - 21L00	21:00 - 22:00	from 22:00

Bank of Russia tariffs for making payments via BESP are higher than in discrete mode.

Transfers from own funds of banks

Before that, we discussed how banks execute customer payments. Now consider how the bank makes its own payments, for example, buying paper, paying for electricity, communication services, etc.

By and large, everything is done exactly the same way as in the case of customer payments, only the bank pays not from the current account, but from one of its correspondent accounts. This circumstance often introduces inexperienced counterparties of a bank into a stupor, and they obsessively demand from the bank the number of its current account, while banks usually do not have current accounts. The rest is the same: a payment order is formed, then it is transferred to the bank, where the correspondent is opened. an account, that bank executes it and responds with an account statement.

Conclusion

In this part, we became acquainted with the basic principles and mechanisms associated with the implementation of non-cash remittances in the Russian Federation. In the next part, we will look at the IT infrastructure of the bank used to make transfers, and especially the part that is responsible for the implementation of correspondent relations with the Bank of Russia.