Working Group On Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds Of RBI

This is the updated version of my previous article on similar topic. This article is discussing the constitution of a working group by Reserve Bank of India (RBI) to bring necessary techno legal banking reforms in India. Both technical and legal reforms have been suggested by the report of working group that if implemented by banks of India would go a long way in bringing banking reforms in India.

Now the RBI has issued a notification for the implementation of the suggestions of its working group. Banks need to ensure implementation of basic organisational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011. The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated in the circular.

In the past, RBI constituted a working group on information security, electronic banking, technology risk management and cyber frauds. The working group submitted its report in the recently upon which public inputs were invited. After analysing the public inputs, the final draft has been recently released and notified by the RBI.

RBI has also directed that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. This direction was provided through the information technology vision document for 2011-17 (IT Vision 2011-17) and the recent notification of the draft report. This document has suggested many technological as well as legal reforms for banking sector of India.

RBI has recently acknowledged the risks of e-banking in India. There are many problems from which the online banking or Internet banking in India is suffering. The most important pertains to maintaining effective cyber security for banking and financial sectors of India. Similarly, there are no effective Internet banking laws in India or online banking laws in India. In the absence of stringent laws in this regard, online banking risks in India are increasing. However, of all the shortcomings, nothing can match the absence of encryption laws and standards in India. In the absence of proper encryption norms in India, e-banking in India is really insecure.

Although, RBI has been taking many far reaching and important steps yet e-banking in India still very risky. Of late, cases of phishing and banking frauds have increased tremendously in India. Further, cyber due diligence of banks in India is still a far dream. Even the directions of RBI to appoint CIOs and steering committees on information security have not yet been implemented.

Cyber security for banking and financial institutions of India is not in proper shape. Even due diligence requirements under the cyber law of India are not properly met. This has forced RBI to upgrade ATM security in India. Further, RBI has also imposed penalty upon 19 banks for non compliance with the regulatory requirements.

Indian banks are poor at cyber security policy formulation and its implementation. Cyber Security Policy is an issue that is very important for Banks of India, says Praveen Dalal, managing partner of New Delhi base ICT law firm Perry4Law and leading cyber law expert of India. With the growing use of Internet Banking, ATM machines, Credit and Debit Cards, Online Banking, etc, Banks of India must also upgrade their Cyber Security Infrastructure and establish a Cyber Security Policy, suggests Dalal.

RBI must rigorously implement the directions and suggestions made in the report of working group. Without stringent actions, the report would never be actually and practically implemented by Indian banks.

Information Security Policy Of India

Information security in India is a very crucial part of homeland security of India. However, despite information security being a crucial field, it is in poor state of condition in India.

There are many factors for this poor information security in India. Two chief reasons for the same are lack of information security policy of India and absence of information security laws in India.

The importance of having an Information Security Policy is not only now being acknowledged even by top management of organisations but has also been recently made mandatory by the Reserve Bank of India (RBI) for banks operating in India, informs Praveen Dalal, managing partner of new Delhi based law firm Perry4Law and leading techno legal expert of India.

In fact, recently the RBI has released its Information Technology Vision Document 2011-17 that endorses the requirements for having strong information security for online banking and offline banking transactions. The document also mandates that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest, informs Dalal.

Lack of information security policy of India is also casting doubts whether India is capable of tackling the cyber terrorism attacks against it. Further, cases of cyber espionage and cyber attacks are also increasing in India.

On top of it, we have a weak cyber law of India that gives a free hand to cyber criminals’ world wide. If India wishes to secure its cyberspace, it must formulate a robust and effective information security policy of India. This policy must be supplemented by stringent cyber laws of India. Till these steps are taken, Indian cyberspace would remain vulnerable to cyber attacks, cyber terrorism and cyber espionage.

Mergers And Acquisitions In Banking Sector Of India

Banking sector reforms in India are in the progress. Both Finance Ministry of India and Reserve Bank of India (RBI) are actively suggesting many far reaching reforms for banking and financial industry of India.

One of such reforms pertains to regulating mergers and acquisitions (M&A) pertaining to banking sector. Till now the Competition Commission of India (CCI) has a say in the M&A pertaining to banking companies.

However, with the recent proposed amendments in the Banking Regulations Act, 1949, only RBI would have power to regulate M&A pertaining to banking sector. In fact, the proposed amendments have already been approved by Cabinet of India.

Finance Minister Pranab Mukherjee has also recently said that RBI would have the final say on bank M&A. He told that banking mergers and acquisitions will not come under the purview of the Competition Act or the Companies Act.

The mergers and acquisitions of banks will now come under the purview of the Banking Regulation Act. This means M&A in banking sector would no more require the approval of the Competition Commission of India.

Non-Banking Finance Companies (NBFC) Laws In India

Reserve Bank of India (RBI) has recently announced setting up of a working group to examine issues pertaining to regulation, governance and supervision of Non-Banking Finance Companies (NBFC) operating in India. The working group would be providing its recommendation in this regard.

While the recommendations of the working group are pending, an important development has taken place. Till now it was assumed that only Parliament of India has the power to legislate regarding NBFCs in India. However, this notion has been completely changed by the recent judgment of Supreme Court of India (SCI).

In two separate judgments, the Bombay High Court and Madras High Court held different opinions. The Bombay High Court declared the Maharashtra Protection of Interests of Depositors (in Financial Establishments) Act as unconstitutional holding that only Parliament can pass such a law. However, the Madras High Court on the other hand, upheld the Tamil Nadu law, which was almost identical to that of Maharashtra.

In both cases, the State Governments passed legislations to protect depositors from fraudulent companies and schemes. The SCI held that Bombay High Court was wrong and Madras High Court’s view was the correct one.

A Bench consisting of Justice Markandey Katju and Justice Gyan Sudha Misra upheld the “constitutional validity” of such State laws and termed such laws as salutary measures which were long overdue to deal with scamsters.

The Bench held that if in “pith and substance” a law falls under the legislative powers of a State Government, it is valid and constitutional. The Bench further held that the objectives of such State laws must also be kept in mind as a sharp and distinct lines of demarcation are not always possible and it is often impossible to prevent a certain amount of overlapping.

The bench also observed that the Reserve Bank of India Act and the Banking Regulation Act, 1949 do not cover the field of operation of the non-banking financial companies. The Companies Act also does not directly deal with the problem posed by large-scale cheating of middle class depositors who are lured by promises of high interest rates.

Therefore, the laws to protect small depositors, by attachment of the property of the companies and other steps, was a salutary step and could not be set aside as unconstitutional, the judgment said. This judgment would go a long way in bringing suitable reforms in the NBFC sector of India.

Wealth Management Regulations In India In Pipeline

Finance Ministry has been proposing many banking and financial sectors reforms these days. They are primarily targeted towards protecting banking and financial sector customers and investors. Of late, lots of fraudulent transactions and crimes have been committed against banking and financial sector customers and regulators have taken notice of the same.

The recent Citibank fraud came as a wake up call and the government decided to review the regulatory issues regarding wealth management and private banking services offered by the banks. A sub-committee of Financial Stability and Development Council (FSDC) has been constituted in this regard which recently met in New Delhi.

FSDC discussed the issues of wealth management services by banks. Reserve Bank of India (RBI) and Securities and Exchange Board of India (SEBI) may be made jointly responsible for implementing these regulations and keeping a watch for any violations. Indian government has also sought inputs from other regulatory bodies to frame a comprehensive rule-book for wealth management practices.

While the RBI and SEBI would play a dominant role, other regulators like commodity regulator FMC, insurance watchdog IRDA and pension fund regulator PFRDA would be roped in whenever necessary and needed.

The wealth management regulations of India are presently under process of being given a final touch. Financial Stability and Development Council (FSDC) is in the process of formulating final rules in this regard. FSDC is a high-level regulatory body set up in December 2010 and is chaired by Finance Minister Pranab Mukherjee. FSDC has been in favour of formulating wealth management regulations and the same have now been reiterated by its sub committee as well.

This is a good step in right direction and Finance Minister Pranab Mukherjee and RBI must be congratulated for all the good work they are doing in this regard.

Cyber Security For Banking And Financial Sectors Of India

Cyber security is an issue that is very important for India. With the growing use of Internet banking, ATM machines, credit and debit cards, online banking, etc, banks of India must also upgrade their cyber security infrastructure.

Reserve Bank of India (RBI) has taken some very pro active steps in this regard. RBI has made it mandatory to appoint chief information officers (CIOs) and steering committees on information security at the board level at the earliest. The intentions are good and so must be their implementations.

Cyber security cannot be used by banking and financial sectors of India till it is systematically used by them. For that a dedicated cell or wing must be established that can take care of issues pertaining to cyber law, cyber security, cyber forensics, cyber due diligence, etc.

Although there are numerous such due diligence requirements yet banks and financial institutions must consider the cyber security aspects on a priority basis. Indian banks and financial institutions are increasingly facing cyber crimes pertaining to banking industry. Further ATM frauds, credit card cloning, phishing attacks against banks and financial institutions, etc are also on rise.

Further data security and privacy issues are other areas of concern for banks and financial institutions of India. They must consider data security and privacy issues of their customers very seriously otherwise they would be violating the due diligence requirements under various law, especially the cyber law of India. Data security and privacy in Indian banking industry requires immediate attention of RBI.

RBI is already working hard in these directions and its is a matter of time before banks and financial institutions of India would be mandatorily required to ensure strong cyber security, effective data protection and stringent privacy protection of their customers.

Information Technology Vision Document For 2011-17 By RBI

Reserve Bank of India (RBI) has recently released the information technology vision document for 2011-17 (IT Vision 2011-17). It has brought many far reaching reforms in the banking industry of India.

According to the vision document, Information Technology (IT) has transformed the conduct of businesses in every sector of the economy, including the financial sector. RBI has endeavoured to streamline technological change in a manner that would help to enhance the inclusiveness of the financial sector. The developments largely relate to improvements in back office management in the form of streamlining Management Information System (MIS), strengthening centralised processing and improving communication networks.

In this context the appointed Committee has identified the specific areas that need to be addressed during the ensuing years. These issues may be addressed in the short, medium and long term.

Some of the important issues are integration of information and technology, focused approach in usage of data for MIS and Decision Support System (DSS), inadequacies in information needed to take vital decisions, disparate IT systems at different levels of maturity, metadata and uniform data reporting standards, adoption of data mining and business analytics for information refinement, re-engineered business processes and delivery models, strategic alignment between business and IT, information and security policies, business continuity management, project management, vendor management, availability of trained manpower for deployment of technology, etc.

One of the areas covered by the vision document pertains to information security policy (IS policy). Information security policy is a documented business rule for protecting information and the systems which store and process this information. Information should be based on the principles of integrity, reliability, and validity. Protecting confidential information is a business and legal requirement.

The existing IS policy would have to be reviewed and updated at periodical intervals. The IS Policy may detail principles for protecting information from unauthorised access, use, disclosure, disruption, modification or destruction. The information security policy should, inter alia, relate to policies such as firewall, email, network security, and password. The policy should also address issues relating to prevention of cyber attacks by deploying appropriate technologies such as two-factor authentication.

While following the above, legal aspects relating to the provisions of the Acts such as Payments and Settlement Act, 2007 and IT Act, 2000 may be strictly adhered to. Further, all banks now would have to create a position of chief information officers (CTOs) as well as steering committees on information security at the board level at the earliest. This would ensure compliance with cyber laws and other laws and would ensure effective cyber security. Let us hope these guidelines would be followed very soon by banks in India.