MINISTRY OF EDUCATION AND TRAINING
THUONGMAI UNIVERSITY
-------------------------
NGUYEN NGOC SON
OPERATIONAL RISK MANAGEMENT IN CARD
ISSUANCE AND PAYMENT AT VIETNAM BANK FOR
AGRICULTURE AND RURAL DEVELOPMENT
Major: Economic Management
Code : 62.34.04.10
Summary of doctoral thesis
Hanoi, in 2019
This research is conducted in Thuongmai University
Supervisors:
1. DR. VU XUAN DUNG
2. ASSOC.PROF.DR. NGUYEN THI MUI
Reviewer 1: ASSOC.PROF.DR. VU DUY HAO
Reviewer 2: ASSOC.PROF.DR. TRAN THANH TU
Reviewer 3: ASSOC.PROF.DR. DAO MINH PHUC
This thesis shall be under defense before the Thesis
Examination Board level, at Thuongmai University
on Ho Tung Mau Street, Cau Giay, Hanoi.
At………, date…….month ….…year……..
This thesis is available in:
The National Library
The Library of Thuongmai University
1
INTRODUCTION
1. The urgency of the topic
Risk in card services is increasing and complicated, the
level of fraud in card issuance and payment activities is always
unpredictable changing, especially when banks have to face the
attack of criminal organizations, forgery, fraud in card issuance
and payment activities... Thus, it reduces business performance,
affects the reputation and brand of the banks.
In the trend of international integration, it requires
Vietnamese commercial banks including Agribank to meet
operational risk management requirements in general and card
operational risk management in particular according to
international standards. However, card operational risk
management at Agribank is still very limited in practice,
customer information management is incomplete, the technology
do not meet the requirements of risk management, the card
system is not synchronized, the security system is not high, there
are many holes bringing about risks and complaints yet. Besides,
there is still a lack of mechanism for risk management activities.
In such a context, the thesis approaches to research the
topic “Operational Risk Management in Card Issuance and
Payment at Vietnam Bank for Agriculture and Rural
Development” is necessary to contribute finding synchronous,
effective and feasible solutions for Agribank's card operational
risk management activities.
2. Research purposes and tasks
- Research purposes
2
The thesis offers solutions and recommendations with
scientific and practical basis to improve card operational risk
management at Agribank.
- Research tasks
+ Systematize and clarify the basic arguments about card
opertaional risk and card operational risk management of
commercial banks.
+ Research on pratical card operational risk management of
a number of domestic commercial banks to draw lessons for
Agribank in card operational risk management.
+ Analyze and evaluate the real situation of card
operational risk management at Agribank to point out the
limitations that need to be
improved to meet the risk
management activities;
+ Propose solutions and recommendations to make card
operational risk management at Agribank more effective.
3. Objects and scope of research
- Objects: The thesis researches into theoretical and
practical issues on card operational risk management of
commercial banks.
- Scope:
+ About content: Only focusing on researching card
operational risk at commercial banks. Credit risk, interest rate
risk, currency risk, market risk related to the card only
further card risk management.
+ About space: The thesis researches on card operational
risk management of Agribank.
+ About time: The thesis researches on card operational risk
management in practice of Agribank from 2012 to 2017. At the
3
same time, proposing solutions and recommendations from now
to 2025, vision to 2030.
4. New contributions of the thesis
- New contributions to theory: Clarify the concept of
operational risks and impacts on card issuance and payment
activities of commercial banks; analyze and explain the card risk
management process, risk management tools, evaluation criteria,
as well as factors affecting card operational risk management of
commercial banks; analyze and learn some lessons for Agribank
from card operation risk management practice of some
Vietnamese commercial banks.
- New contributions to practice: Analyze and evaluate the
status of card operational risk management of Agribank in the
period of 2012 to 2017 regarding aspects such as policies,
models, processes. From there, pointing out the achieved results,
limitations and causes of card operational risk management
activities.
- New contributions to solution: To complete card
operational risk management model; To build quality human
resources to meet card operational risk management
requirements; To check and complete card issuance and payment
process, card operational risk management process; To invest and
upgrade technology; Coordinate closely with law enforcement
agencies and national and international card organizations;
Develop an early warning system for card operation risks;
Perform communication work to customers.
CHAPTER 1
RESEARCH OVERVIEW AND METHODS
1.1 Overview of research situation related to the thesis
4
1.1.1 Studies on development of bank card services
There are typical case studies relating to the development
of card services, including: Tran Tan Loc (Doctoral thesis in
2004 ) "Basic solutions to develop bank card market in Vietnam";
Hoang Tuan Linh (Doctoral thesis in 2009) "The solutions for
developing card services at the state-owned commercial banks in
Vietnam"; Pham Ngoc Ngoan (Doctoral thesis in 2010 )
"Improving state management to card payment services at
Vietnamese commercial banks"; Pham Thi Bich Duyen (Doctoral
thesis in 2016) "Quality of debit card services at Vietnamese
commercial banks"; CHANTHAVONE PHOMMATHEP
(Doctoral thesis in 2018) "Developing card business of Laos
agricultural bank".
1.1.2 Studies on card operation risk management
The researches related to this issue include: Nguyen Danh
Luong (Doctoral thesis in 2003) "Solutions to develop the form of
card payment in Vietnam"; Pham Ngoc Ngoan (Doctoral thesis in
2010) "Improving state management to card payment services at
Vietnamese commercial banks"; Le Thi Van Khanh (Doctoral
thesis in 2016) "Operational risk management system at
Vietnamese commercial banks"; Pham Thi Bich Duyen (Doctoral
thesis in 2016) "Quality of debit card services at Vietnamese
commercial
banks";
CHANTHAVONE
HOMMATHEP
(Doctoral thesis in 2018) "Developing card business of Laos
agricultural bank"; Johannes Jurgovsky, Michael Granitzer,
Konstantin Ziegler, Sylvie Calabretto, Pierre-Edouard Portier,
Liyun He-Guelton, Olivier Caelen (2018); Deshen Wang,
Bintong Chen , Jing Chen (2018); Mohammed Alqahtani and Aad
van Moorsel (2018).
1.2 Research gaps and research direction of the thesis
5
By 2020, 10 pilot commercial banks have to meet Basel II
requirements, have to calculate operational risks and deduct
provisions for these risks and Agribank is no exception.
Previously published studies about cards in terms of
information technology have not really developed, so some
modern cards or non-contact payment facilities have not yet
appeared. But in recent years, many new types of card have been
launched such as prepaid cards, non-physical cards , along with
many forms of payment such as contactless card payments,
Online card payments, card not present payment, linking ewallets with cards,.... So, how to manage card risks in the context
of 4.0 technology applicated in most sectors of the economy,
previous studies have not mentioned.
The application of modern technology in the card field
entails security risks. Because cybercriminals are trending to
exploit technology and user vulnerabilities, commit frauds with
unsafe links and websites. This is also a matter of great concern
but has not been mentioned in previous studies yet.
Previous studies have not assessed the impact of risk cards
to banks in terms of money, prestige, labours, and even the loss
of liquidity, ...; to customers, to the economy.
1.3 Questions of the thesis
- What does the content of card operational risk
management include? What are the reasons for card operational
risk at commercial banks, especially in the context of applying
modern technology in banking activities?
- What are the criteria for evaluating the results of card
operation risk management of commercial banks?
- Which tools have Agribank used to manage card
operational risk? How were the results? What are the
6
inadequacies? Are there barriers? And what are their causes to
card operational risk management at banks?
- Which improvement trend should be applied to card
operational risk management in the situation in which high-tech
crime attacking network and ATM system is on the rise and
regularly change the manner and method of intrusion?
1.4 Research methods
1.4.1 Data collection method
- Primary data: Survey by questionnaires, interviewing
some experts.
- Secondary data: Secondary information and data are
collected from the database of the State Bank of Vietnam, some
commercial banks, Agribank, Vietnam Bank Association,
Vietnam Bank Card Association,...
1.4.2 Data Processing
- Primary data: Postgraduates use traditional statistical
and data analysis method to synthesize the assessments and
opinions of Agribank’s staffs and experts.
- Secondary data: Secondary figures after collection is
processed and described on Excel software in the form of tables,
diagrams, charts and illustrations.
CONCLUSION OF CHAPTER 1
- The thesis refers to studies on developing bank card
services and studies on the operational risk management of bank
card; shows the gaps that the previous studies have not studied.
Since then, the thesis focuses on researching in-depth direction
on operational risk management in card issuance and payment at
chapter 2 and 3.
7
CHAPTER 2
THEORETICAL BASIS AND PRACTICAL EXPERIENCE
ON OPERATIONAL RISK MANAGEMENT IN CARD
ISSUANCE AND PAYMENT AT COMMERCIAL BANKS
2.1 Overview of card issuance and payment activities at
commercial banks
2.1.1 Concept, characteristics, classification of bank cards
2.1.2 Parties in card issuance and payment process
Issuance bank, Payment bank, Cardholder, Card
acceptance unit, Relevant organizations (International Card
Organization, NAPAS)
2.1.3 Process of card issuance and payment
Process of bank card issuance and payment
Online card acceptance and payment process
Step1: When having demand on purchasing goods and
services, cardholders would access the websites that accept card
payment from banks and comply with the requirements of those
8
websites. Specifically, cardholders must enter a minimum of
information as follows:
+ For domestic cards: The cardholder's full name must be
entered; card number; month/year of issuance of the card and
OTP is necessary to make the transaction.
+ For international cards: The cardholder's full name must
be entered; card number; validity period of the card; CVV2/
CVC2 number.
Step 2: This information will be transferred to the Payment
bank
Step 3: Payment bank sends card information to the card
providing service and Issuance bank to verify the validity and
solvency of the card.
Step 4: If all information is correct and valid, Issuance
bank sends information to Payment bank, decoded information is
sent to seller and payment is made.
Step 5: Money will be transferred from the cardholder's
account to the seller's account.
2.2 Operational risks in card issuance and payment at
commercial banks
2.2.1 Concept of operational risk in card issuance and payment
Operational risk
Under Basel II, Operational risk is the risk of losses
incurred for inadequate or failed internal processes, people and
systems, or from external events. Including legal risk but not
including strategic risk and reputable risk [12].
According to Circular 41/2016/TT-NHNN, Operational
risk refers to the risk arising due to inadequate or failed internal
processes, human factors, system errors and failures or external
events that cause financial losses or non-financial negative
9
impacts on banks and/or foreign bank branches (including legal
risk). The operational risk excludes reputational risk and strategic
risk [30].
Through the concepts of the authors mentioned above,
postgraduates comprehend that operational risk is the risk of loss
due to inadequacy or inadequate operation of processes, people
and systems or due to the impact of external events.
Operational risks in card issuance and payment
Risk in card operations is generally understood to be the
possibility of financial loss or reduction of business profits
compared to the expectations of the cardholders, Issuance banks,
Payment banks or Card acceptance units [3].
Risk in card payment services are losses related to
business card activities. These are unexpected events and
incidents arising in the process of card issuance, payment or
usage, causing unforeseen damages which Issuance banks,
Payment banks, Card acceptance units as well as Cardholders
have to bear [1].
From the concepts of operational risk of commercial
banks in general, as well as the concept of risk in bank card
services, according to the postgradutes' approach, perational risk
in card issuance and payment is the possibility of material or
non-material losses related to card issuance and payment
activities, due to human factors, card process, technology
systems for card operations or external events. Subjects are
banks, cardholders, card acceptance units.
2.2.2 Classification of operational risks in card issuance and
payment
10
- Risks in card issuance activities: Fake card issuance
information; Fake card; The card is stolen while sending to the
cardholder; Cardholder's account is taken advantage of.
- Risks in card payment activities: Card data is stolen
(Skimming/Phishing); Risks due to fraud by card acceptance unit;
Risks when cardholders conduct transactions at card acceptance
units, countries and regions with high risk; Risks due to
disclosure of PIN codes; Risks due to excessing limit; Risks due
to misuse of the nature and regulations of using cards to cheat;
Risks due to use of card which is notified to be lost; Risks due to
technical problems; Ethical risks.
2.2.3 Impact of operational risks in card issuance and payment
- Issuance bank
- Payment bank
- Card acceptance unit
- Customer
- Card credit risks
2.3 Operational risk management in card issuance and
payment at commercial banks
2.3.1 Concept of operational risk management in card issuance
and payment at commercial banks
According to Circular 13/2018/TT-NHNN, Risk
management is the identification, measurement, monitoring and
control of risk in commercial banks and foreign bank branches
operation [26].
According to the Basel Committee, “Risk management is
the whole process of continuously identifying, evaluating,
controlling, tracking and reporting operational risk to minimize
losses incurred during the bank continuous business operation
implementation and guarantee process”.
11
According to BIDV, Operational risk management is the
process of determining scope, setting up apparatus, organizational
structure, policies, management responsibilities, and using
management resources and tools to identify, assess, measure,
propose solutions to prevent/ minimize and monitor/ report
identified operational risks [27].
For card operational risk, this is part of the overall
operational risk of all bank activities. Therefore, it is possible to
apply a number of previous documents and research works on
risk management, operational risk management as a references in
the research process of this thesis.
Through studying many various research works in risk
management, operational risk management, postgraduates
understand that operational risk management in card issuance and
payment at commercial banks is the process that credit
institutions conduct activities to impact operational risks in card
issuance and payment, including setting up organizational
structure, building a system of policies and management methods
to implement the management process, it is the identification,
measurement, evaluation, management, monitoring and
inspection of operational risks in card services to limit to the
minimum possible loss.
2.3.2 Targets of operational risk management in card issuance
and payment at commercial banks
Firstly, Improve the ability to achieve the goal in the card
business.
Secondly, Improve productivity and operational efficiency
of card services.
Third, Be easier to identify opportunities and challenges.
12
Fourthly, Help the risk management in bank card
operations become systematic, methodical and professional
Fifthly, Enhance the organization's understanding that
positively affects organizational culture, staff's working spirit,
and responsibility to the unit.
Sixth, Create trust with customers, improve brand value,
build credibility for shareholders, economic organizations, and
domestic and foreign credit institutions
Seventh, Strengthen the capacity of the internal inspection
and control system to prevent possible losses and manage
incidents, minimize the risk of bank losses.
Eighth, Build risk management model according to international
practice.
2.3.3 Principles and Model of operational risk management in
card issuance and payment at commercial banks
- Card operational risk management principles: The Basel
Committee on banking supervision has summarized four major
issues with 10 golden principles in operational risk management
and recommended banks to implement.
- Card operational risk management model: Commercial
banks apply the management model of "Three layers of
protection" and management level supervision to enhance the
effectiveness of operational risk management, specifically:
1st protection layer - The card service providers
themselves are responsible for managing risks within the unit.
2nd protection layer - The centralized and independent
risk management department is responsible for developing,
maintaining and monitoring risk management of the whole bank.
3rd protection layer - Internal audit, inspection and
control department operates independently, supervises to ensure
13
compliance with the risk management strategies, policies and
regulations.
Management level supervision: The Board of risk
monitoring and management is separated from The executive
board. Depending on the supervisory level, the commercial banks
has decentralized the supervision of the process of risk
management implementation at different levels.
2.3.4 Process of operational risk management in card issuance
and payment at commercial banks
- Risk identification
- Risk measurement
- Risk control and preventing
- Risk handling, financing and reporting
2.3.5 Tools of operational risk management in card issuance
and payment of commercial banks
-Risk Control Self Assessment(RCSA)
-Key Risk Indicators (KRI)
-Events Loss Management (ILM)
2.3.6 Criteria for assessing results of operational risk
management in card issuance and payment at commercial
banks
- Qualitative criteria : Criterion of satisfied level of staffs
in each position, criterion of compliance with mechanisms,
policies and processes.
- Quantitative criteria: Criterion of reducing the number of
faults and errors, criterion of reduction of losses.
2.3.7 Factors affecting the operational risk management in
card issuance and payment at commercial banks
14
- Internal elements: Control mechanism, reporting
information mode, risk management apparatus, information
technology system, supporting tools
- External elements: Legal environment, iInput information
system, customers, card acceptance unit
2.4 Experience of operational risk management in card
issuance and payment of some commercial banks and lessons
for Agribank
2.4.1 Experience of BIDV
2.4.2 Experience of Vietcombank
2.4.3 Experience of MUFG Union Bank
2.4.4 Lessons learned about the operational risk management
in card issuance and payment for Agribank
- Organizational structure
- Procedures
- Technology
- Handle the communication crisis
CONCLUSION OF CHAPTER 2
The thesis has synthesized the theoretical basis of card
issuance and payment activities, card operational risks, card
operational risk management of commercial banks. The thesis has
set out the goals and principles of card operational risk
management; Describe card operational risk management
process; suggest risk management tools and at the same time
provide criteria for evaluating card operational risk management
results.
Besides, the thesis has studied the risk management
experience of VietComBank, BIDV to draw lessons for Agribank
in card operational risk management.
15
CHAPTER 3
CURRENT STATUS OF OPERATIONAL RISK
MANAGEMENT IN CARD ISSUANCE AND PAYMENT
AT VIETNAM BANK FOR AGRICULTURE AND RURAL
DEVELOPMENT
3.1 Overview of vietnam bank for agriculture and rural
development
3.1.1 The formation and development of Agribank
3.1.2 Organizational structure of Agribank
3.1.3 Business results of Agribank
- Capital mobilization
- Debit balance
- Non-credit service collection
- Financial results
3.2 Situation of the card issuance and payment of vietnam
bank for agriculture and rural development
3.2.1 Advantages and disadvantages
3.2.2 Situation of the card issuance and payment at Agribank
- Card issuance operation
- Card payment operation
3.3 Status of policies and operational risk management
models in card issuance and payment of agribank
3.3.1 Operational risk management policy in card issuance and
payment of Agribank
- Card operational risk management principles
+ To achieve the goal of development card services,
Agribank accepts card operational risks as part of the matter need
to be considered in the card business strategy and commitment to
fully implement the card operational risk management activities
in accordance with the regulations of the State Bank.
16
Determination of goals, risk reserve capital, as well as risk
management tools are included in Agribank’s business strategy
from time to time.
+ During the implementation process, the Board of
Member is responsible for overseeing the process of setting up a
framework of card operational risk management and reviewing
the overall risk profile of Agribank; The Executive Board is
directly responsible for card operational risk management
approved by the Board of Member and ensures the proper and
appropriate application of types of risk management.
+ The risk management framework must be implemented
consistently throughout the whole system and all employees are
knowledgeable. Each individual employee as well as the
management of each unit shall be assigned responsibilities for
managing and monitoring card operational risks; The Executive
Board and The Board of Member are also responsible for setting
out risk management policies, processes, procedures in card
service products.
+ Risk profile must be fully updated, controlled and
validated independently of the profile establishing department. It
is also regularly reported to the Board of Member and the
Executive Board to take the initiative in the decision-making
process.
+ To ensure card risk management activities to be
effective, the Internal Control Department regularly assesses the
compliance with the card risk management regulations and
processes at the units in the system.
- Card risk management model: there are 3 layers of
protection:
+ First protection layer - subjects that own risks or take
17
direct risks:
+ Second protection layer - unit of risk control and
supervision
+ Third protection layer - the unit ensures independence
from deployed units.
+ Management level supervision: Board of member, the
Supervisory Board, the Executive Board , Committee of Risk
Management, Board of Risk Handling...
3.3.2 Models of the operational risk management in card
issuance and payment of Agribank
3.3.3 Process of the operational risk management in card
issuance and payment of Agribank
- Risk identification
- Risk measurement
- Risk control and prevention
- Handling and financing risks
3.3.4 Results of the operational risk management in card
issuance and payment of Agribank
- Card risk of Agribank: Risk of fraud, risk related to card
acceptance units, risks due to technical problems, risks because
bad guys destroy ATMs to take money, risk of special
transaction.
- Handling card risk of Agribank.
3.4
Evaluation of the operational risk management in
card issuance and payment at Agribank
3.4.1 Survey of the operational risk management in card
issuance and payment at Agribank
a/ Survey results from customers who use Agribank card:
Each bank's card services would bring different benefits for
customers, but the security in card services is still the top concern
18
of customers. Therefore, customers surveyed said that using
BIDV's cards is the safest, second is Agribank’s. The above
survey result shows that Agribank's card risk management has not
really met the requirements of customers.
b/ Survey results from experts who are knowledgeable
about card services:
Through the survey, experts said that, in order to limit card
operational risk, Agribank needs to have solutions such as:
technology investment, strengthening customer information
security, building a strict process, raising awareness of employees
about card risks, customer perceptions. Building and managing a
card database to look up, analyze and take effective risk
prevention measures, meanwhile information needs to be
collected regularly to serve card risk management.
3.4.2 Achievements in risk management work of card operation
at Agribank
Agribank has actively cooperated with International Card
Organizations to update information as well as learn experiences,
closely monitor card transactions to limit and minimize the card
risks that may occur .
Agribank is also rated by the International Card
Organizations to be an effective and active bank in preventing
frauds in card business.
Agribank always closely monitors suspicious card
transactions, and also replaces cards that have transactions in
high-risk markets .
The International Card Organizations and Vietnam public
security agency have appreciated the close cooperation of
Agribank in fighting and preventing fraud card transaction in Viet
Nam market.
- Xem thêm -