By Shalini S.
The RBI governor, Raghuram Rajan, recently announced that the central banking institution is in the process of setting up an Information Technology (IT) subsidiary. The purpose of this IT subsidiary is to aid the RBI in effectively monitoring and supervising internet-based services offered by banks across the country. This is a welcome move for the Indian banking sector and its customers who are threatened by systemic vulnerabilities, which enable technology related banking and financial frauds, birthed primarily by the continued migration of services to internet and mobile platforms. This post examines the need for the announced subsidiary in the context of rising instances of cyber-attacks against the banking sector and proposes possible functions for the dedicated subsidiary to enhance cybersecurity in the rapidly digitizing banking sector.
While the adoption of IT for banking services offers unprecedented convenience, cost-effectiveness and speed of delivery, it is riddled with several external threats and suffers from lack of coordination. With the significant operational risks of adopting information technology in the delivery of banking services, a significant rise in banking-related technology frauds has been reported, a cause for concern for customers, commercial banks and the RBI. Even though the advanced analytics on banking platforms attempt to prevent fraudulent transactions, such transactions continue, as several banks and telecom companies fail to comply with suggested and mandated safety norms. Major commercial banks have also been accused of not filing reports of suspicious transactions, an obligatory requirement when there has been an instance of unsatisfactory identification, which allows for speculation that more fraudulent transactions are attempted than are reported.
Currently, phishing, vishing, spyware or malware attacks, keylogging, data theft and other internet-based frauds have been reported to be the most common cyber-attacks against banks and its customers. Despite these threats, there remains continued and even enthusiastic use of innovative, technology-backed financial services such as mobile banking and social media payment systems.
The RBI, which is the central banking institution of the country and responsible for the supervision and regulation of the finance sector, also bears the onus of evolving and enforcing parameters of banking operations. Noting the inevitability of increased digitization of traditional banking services and accompanying vulnerabilities, the RBI has previously attempted to address the issue of cybersecurity by evolving minimum standard cyber safety norms for banks and other providers of financial services. In 2010, the RBI set up a working group to examine issues arising out of IT penetration and use in the banking sector and directed banks to appoint a Chief Information Security Officer (CIO) and a steering committee on information security. Based on the report of the working group, it also issued a set of guidelines on information security, technology risk management and combating cyber fraud, in 2011. The guidelines provided detailed insight into building fraud risk perspective in banks, customizing audits to detect irregularities and vulnerabilities and even the appropriate reporting of fraud cases to law enforcement and other relevant stakeholders. Even though the guidelines themselves dealt only cursorily with issues of data security and privacy, the Institute for Development and Research in Banking Technology (IDRBT), an IT institute set up by the RBI, released a handbook on information security governance to the banking sector, to act as a follow-up to the above-mentioned guidelines.
Unfortunately, these guidelines which were considered minimum best standards and slated to be implemented in a phased manner, have not been treated seriously and several banks have failed to implement these guidelines and carry out required cyber due diligence. The same year, RBI also released the Information Technology Vision Document 2011-2017 that highlighted its recognition of the enormity of the menace that is cyber-attacks and reiterated its commitment to mitigating IT fraud in the banking sector. In 2013, it also issued a circular on risk mitigations measures to be undertaken during e-payment transactions to help banks secure electronic payment transactions such as RTGS, NEFT and IMPS from cyber-attacks. Noting the significant increase in fraud in online banking transactions, RBI also advised banks to introduce two or three-stage authentication and transaction verification. However, as telecom companies, whose services are used in authenticating transactions, continue to have fragile digital security and fail to follow minimum safety protocols, these transactions continue in high-risk environments and are in desperate need of monitoring.
While it is clear from the measures outlined in paragraphs above that the banking industry has recognized the risks associated with the penetration of IT into financial services, the proposed IT subsidiary of RBI could prove to be a great institutional addition. The threat landscape highlighted in the paragraphs above, demonstrates the need for a dedicated IT subsidiary to evaluate technical capabilities of banks and provide support in beefing up cyber security in the sector. As the exact form and mandate for the IT arm of the RBI has not been set as yet, it can also be designed to act as an information sharing resource akin to the dedicated cell that was to be formed under the aegis of IDRBT and additionally work towards ensuring compliance of commercial banks to RBI notifications, codes and rules pertaining to cybersecurity and data protection. Since banking, a finance sector function, potentially falls in the category of critical information infrastructure, there needs to be constant security vigilance and cyber security measures on par with global standards. In addition to exploring methods in which the possibilities of IT can be harnessed for effective, cost-efficient, real-time delivery of banking services, it is also crucial for this proposed subsidiary to concentrate on evolving binding basic standards of data security, privacy which is currently, primarily driven by Information Technology Amendment Act, 2008 in the banking sector. The subsidiary which currently aims to track evolving threats and vulnerabilities should also attempt developing real-time fraud prevention models and increase customer confidence by increasing effectiveness of independent financial IT controls.
 The Economic Times, Reserve Bank of India plans IT arm, to hire experts to work on banking technologies, 2015, http://economictimes.indiatimes.com/industry/banking/finance/banking/reserve-bank-of-india-plans-it-arm-to-hire-experts-to-work-on-banking-technologies/articleshow/49512043.cms (last visited Oct 26, 2015).
 Livemint, Banks bet big on technology to boost efficiency, curb fraud – Livemint (2011), http://www.livemint.com/Industry/8df71WBdwALasI5afwadUJ/Banks-bet-big-on-technology-to-boost-efficiency-curb-fraud.html (last visited Oct 26, 2015).
 The Economic Times, RBI asks banks to set up committees to protect IT data, 2011, http://articles.economictimes.indiatimes.com/2011-04-30/news/29490905_1_banking-and-mobile-banking-electronic-channels-frauds (last visited Oct 26, 2015).
 Amit Kashyap, Indian Banking: Contemporary Issues in Law and Challenges (2014).
 SearchSecurity, RBI guidelines focus on fortifying IT security by banks (2011), http://searchsecurity.techtarget.in/news/2240031005/RBI-guidelines-focus-on-fortifying-IT-security-by-banks (last visited Oct 26, 2015).
 The Economic Times, RBI for two-stage verification for online banking transactions, 2014, http://articles.economictimes.indiatimes.com/2014-04-22/news/49318793_1_cheque-truncation-system-authentication-transactions (last visited Oct 27, 2015).
 Sharad Vyas, Mumbaikars beware! Your bank details are being stolen and sold! Mid-ay (2015), http://www.mid-day.com/articles/mumbaikars-beware-your-bank-details-are-being-stolen-and-sold/16218163 (last visited Oct 28, 2015).
 See, Institute for Development and Research in Banking Technology, Consultancy Report on An initiative for research and intelligence gathering related to security incidents in financial services sector for analysis & sharing of insight (2012), http://www.idrbt.ac.in/PDFs/PT%20Reports/2012/RekhaAG_AnInitiative_2012.pdf (last visited Oct 27, 2015).
 See, DeitY, Cyber Security Strategy – Strategic Approach | Government of India, Department of Electronics and Information Technology (DeitY), http://deity.gov.in/content/strategic-approach (last visited Oct 26, 2015).
 PSA, Risk management in e-banking (2009), http://psalegal.com/upload/publication/assocFile/BANKING-LAWS-BULLETIN-ISSUE-II_1288782887.pdf (last visited Oct 26, 2015).