The Reserve Bank of India has today placed on its website the report of the Working Group on information security, electronic banking, technology risk management, and cyber frauds.
The Working Group (Chairman: Shri G.Gopalakrishna, Executive Director, RBI) was established following the announcement in the April 2010 Monetary Policy Statement, which recommended enhancing RBI guidelines relating to the governance of IT, information security measures to tackle cyber fraud apart from enhancing independent assurance about the effectiveness of IT controls
The report covers various areas such as IT Governance, information security (including electronic banking channels like internet banking, ATMs, cards), IT operations, IT services outsourcing, Information System Audit, Cyber frauds, business continuity planning, customer education and legal issues.
The objective of the Working Group was to provide a set of guidelines to banks covering the entire gamut of electronic banking. This would serve as a common minimum standard for all banks to adopt as well as lay down the best practices for banks to adopt in a phased manner for a safer and sounder banking environment. The Group felt that there was a need for banks to follow a consistent approach in each focus area, to minimize differing interpretations.
Some of the major recommendations of the Working Group are provided here.
The Group recognised that the recommendations are not “one-size-fits-all” and the implementation of these recommendations need to be based on the nature and scope of activities engaged by banks and the technology environment prevalent in the bank and the support rendered by technology to the business processes.
The Reserve Bank will begin implementing the recommendations of the Working Group shortly.
Background
Rapid strides in Information Technology (IT) and its swift adoption by the commercial banks in India have enabled banks to use IT extensively to offer products and services to customers apart from automating internal processes. Some opportunities arising from intensive use of IT are multiple delivery channels to customers, development of new products and processes, reduction in service delivery costs and potential for financial inclusion initiatives.
Developments in IT have also brought along a whole set of challenges to deal with. These include rapid changes in technology, complexities, high costs, security and data privacy issues, new laws and regulations and inadequate trained manpower.. Inadequate IT controls could result in cyber frauds and poor implementation of technology could lead to unsound decision making based on inaccurate information/data. The cyber threat landscape is also changing over the years and needs to be factored in while considering mitigating measures.
Given this context, there was a need to enhance the governance of IT and institute robust information security measures in the Indian banking sector based on extant international standards and best practices. Information technology (IT) risk assessment and management was required to be made a part of the risk management framework of a bank, while internal audits/information system audits needed to independently provide assurance that IT-related processes and controls were working as intended. Given the instances of cyber fraud in banks recently, it was necessary to improve controls and examine the need for pro-active fraud risk assessments and management processes in commercial banks. With the increase in transactions in electronic mode, it was also critical to examine the legal implications for banks arising out of cyber laws and steps that were required to be taken to suitably mitigate the legal risks. To consider these issues, the Governor had announced, in the Annual Monetary Policy Statement 2010-11 in April, 2010, the creation of a Working Group on Information Security, Electronic Banking, Technology Risk Management and Tackling Cyber Fraud.
R.R. Sinha
Deputy General Manager
Press Release : 2010-2011/1044 |