Sunday, 1 May 2011

Working Group On Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds Of RBI

This is the updated version of my previous article on similar topic. This article is discussing the constitution of a working group by Reserve Bank of India (RBI) to bring necessary techno legal banking reforms in India. Both technical and legal reforms have been suggested by the report of working group that if implemented by banks of India would go a long way in bringing banking reforms in India.

Now the RBI has issued a notification for the implementation of the suggestions of its working group. Banks need to ensure implementation of basic organisational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011. The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated in the circular.

In the past, RBI constituted a working group on information security, electronic banking, technology risk management and cyber frauds. The working group submitted its report in the recently upon which public inputs were invited. After analysing the public inputs, the final draft has been recently released and notified by the RBI.

RBI has also directed that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. This direction was provided through the information technology vision document for 2011-17 (IT Vision 2011-17) and the recent notification of the draft report. This document has suggested many technological as well as legal reforms for banking sector of India.

RBI has recently acknowledged the risks of e-banking in India. There are many problems from which the online banking or Internet banking in India is suffering. The most important pertains to maintaining effective cyber security for banking and financial sectors of India. Similarly, there are no effective Internet banking laws in India or online banking laws in India. In the absence of stringent laws in this regard, online banking risks in India are increasing. However, of all the shortcomings, nothing can match the absence of encryption laws and standards in India. In the absence of proper encryption norms in India, e-banking in India is really insecure.

Although, RBI has been taking many far reaching and important steps yet e-banking in India still very risky. Of late, cases of phishing and banking frauds have increased tremendously in India. Further, cyber due diligence of banks in India is still a far dream. Even the directions of RBI to appoint CIOs and steering committees on information security have not yet been implemented.

Cyber security for banking and financial institutions of India is not in proper shape. Even due diligence requirements under the cyber law of India are not properly met. This has forced RBI to upgrade ATM security in India. Further, RBI has also imposed penalty upon 19 banks for non compliance with the regulatory requirements.

Indian banks are poor at cyber security policy formulation and its implementation. Cyber Security Policy is an issue that is very important for Banks of India, says Praveen Dalal, managing partner of New Delhi base ICT law firm Perry4Law and leading cyber law expert of India. With the growing use of Internet Banking, ATM machines, Credit and Debit Cards, Online Banking, etc, Banks of India must also upgrade their Cyber Security Infrastructure and establish a Cyber Security Policy, suggests Dalal.

RBI must rigorously implement the directions and suggestions made in the report of working group. Without stringent actions, the report would never be actually and practically implemented by Indian banks.