Although no different except for mode of execution than any other form of criminal activity, electronic crime represents the fastest growing form of criminal activity currently facing both the international and Saudi banks. This presents itself in four major areas as given below

ATMs - While major shifts are taking place, Saudi Arabia is still a highly cash oriented society. This, in turn, drives the exposure to operational loss presented by ATMs. High daily cash withdrawal limits or no limits at all mean that ATMs routinely are stocked with far more cash than that normally found in other developed countries. This presents both a lucrative and tempting target for either employee fraud or third-party burglary. In addition, these high cash withdrawal limits also expose banks to potentially higher losses from customer fraud. As banks add additional functionality’s to ATMs (foreign currency, travellers checks, airline tickets, etc.) and connect their ATMs internationally through shared network such as CIRRUS, new opportunities for fraud against Saudi banks both from within and outside the Kingdom increase significantly.

Credit Cards - Based on experience both within the Kingdom and outside, credit cards represent a major and a rapidly growing' operational risk. This risk may be divided into two areas:

Internal Fraud - As with most other types of fraud, credit card fraud involving employees (either working along or in collusion with outsiders) is the most common and most costly. All credit card issuers are subject to internal fraud risks associated with application generation /approval, account setup / activation, card embossing, and statement preparation / distribution.

External Fraud - Although far less common than internal fraud, external credit card fraud is growing rapidly as a result of large scale international trafficking in stolen cards and obtaining valid cards through fraudulent applications.

Point of Sale (POS) - As the use and acceptance of POS grows within the Kingdom, so too will merchant fraud in number, level of sophistication, and monetary value. This type of criminal activity may range from an employee of the merchant generating fraudulent transactions (generally in collusion with a third party) to large scale and highly organized activities by the merchant himself. Therefore, prevention and detection of this type of criminal activity by banks will become increasingly more complex and costly.

Commercial Services - The extension of electronic payment and trade services to commercial customers represents a major source of fee for service income. This is income which represents virtually no credit risk. However, these systems and products may represent a major exposure to costly and embarrassing losses to corporate customers. Two areas present especially high potential exposures to third party fraud.

Cash Management Services - While providing both a greatly enhanced financial management tool to corporate customers and a significant source of both cost savings and fee for service income to the banks, electronic cash management services also represent a major source of operational risk from both third party penetration and customer fraud. By their very nature these services allow the conduct of transactions with the bank in which the only security present is that provided by technical means such as encryption, message authentication, and logical access checking of passwords and user ID's. While powerful, these technical controls are not infallible. Therefore, given the high monetary value represented by corporate cash management transactions, the potential for a "long tailed risk" (i.e. low probability of occurrence with extremely high monetary value) presents the potential for both a catastrophic financial loss as well as severe damage to reputation and credibility of the bank.

Electronic Data Interchange (EDI) - As both banks and corporate customers move toward the use of electronic communications to replace paper based trade documents (i.e. invoices, receiving reports, bills of lading, warehouse receipts, etc.), traditional forms of controlling these transactions will no longer apply. EDI systems have generally been designed with less stringent levels of both access control and authentication of transactions. This has been based on the assumption that since these transactions were "non-monetary" in nature they present less exposure. While this may be technically correct, the non-monetary aspect of an EDI transaction - a receiving report. bill of lading, or warehouse receipt - ultimately generates a payment (electronic or manual) to settle the transaction. Therefore, these systems also present the potential for. "long-tailed" risks from both third parties and employees of either the customer or the vendor of good and services.