RBI Warned Indian Banks For Inadequate Cyber Security

The Reserve Bank of India (RBI) has been issuing various directions and recommendations from time to time to strengthen cyber security of banks operating in India. Further, RBI has also prescribed a cyber due diligence for Indian banks. However, Indian banks are not following the directions of RBI in this regard and a majority of banks in India still do not have a well defined cyber security policy.

RBI has also directed that all banks must create a position of chief information officer (CIO) as well as steering committee on information security at the board level at the earliest. Till now there are no publically available records that show that banks operating in India have appointed CIO and a steering committed as directed by RBI. In any case, these directions of RBI must be complied with latest by October 2012.

Realising that banks in India are not complying with the directions of RBI, it has issued a stern warning that RBI will act against banks that do not implement its guidelines on electronic security of their transactions and operations by October 2012. RBI observed that at present some banks do not have proper security policy and methods to monitor the service level agreements with third parties and have inadequate audit trail.

RBI has directed that the banks with a high technology usage will have to implement all the guidelines and those not having any major online transactions have to implement only some of its recommendations.

Perry4Law and Perry4Law Techno Legal Base (PTLB) believe that the future of banking segment in India is highly dependent upon technology and it would be beneficial if the directions of RBI are implemented by all banks as soon as possible. This would not only safeguard the interests of bank’s customers but would also save banks from many legal problems and cases. Further, inadequate cyber security would give rise to increased cyber crimes and financial frauds that would undermine the reputation of such banks.

ATM frauds, credit cards frauds and Internet banking frauds are on rise in India. Part of this is attributable to lack of public awareness but lack of cyber security adoption by banks in India is the main reason for such crimes and frauds.

Perry4Law and PTLB recommends that banks in India must start implementing the techno legal aspects of cyber security as soon as possible as deadline of October 2012 is fast approaching.

Mobile Banking Cyber Security In India

Mobile Banking is the buzz word these days. While the idea of mobile banking is promising yet it requires certain prerequisites to be successful in India. The chief among these requirements is the requirement to have a robust cyber security for mobile banking in India.

Cyber security in India in general and cyber security for online banking transactions in particular is not in good shape. The Cyber security trends in India 2011 also reflected this position. Mobile banking in India is still not popular due to various factors. For instance, e-banking in India is not safe, Internet banking cyber security in India is missing and online banking in India is not safe. In these circumstances, mobile banking in India is risky due to absence of mobile cyber security in India.

Even the Reserve Bank of India (RBI) is aware of this situation. RBI constituted a working group on information security to ensure cyber security among Indian banks. As per RBI’s recommendations, all banks should create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest.

However, banks of India have shown no willingness to incorporate cyber security into their day to day functions. Till now the directions of RBI to appoint CIOs and steering committee has not been followed by banks of India. The recommendations of the RBI have still not been implemented.

Naturally, Indian banks are poor at developing cyber security policies and implementing the same. Banks of India are also not providing positive confirmation to the originator of NEFT transactions. When basic level aspects are missing, incorporating cyber security in the day to day transactions of banks in India is really difficult. In these circumstances, the decision of RBI to remove financial limits from mobile banking transaction in India can be a trouble than facility. Hopefully, the proposed integrated banking law of India would address all these issues.

However, Indian banks cannot afford to ignore one aspect. The cyber law in India has prescribed cyber law due diligence for various stakeholders. Cyber due diligence for banks in India is just a part of the same. Cyber due diligence for Indian companies including banks operating in India is very stringent. If these due diligence requirements are not followed by Indian banks, civil, criminal and financial penalties can occur.

Cyber security for banking and financial sectors of India is urgently required as they perform very crucial functions. RBI must ensure the same by getting its directions strictly enforced as soon as possible.

E-Discovery In India And Its Uses

By
Baljeet Singh

Electronic discovery has many purposes to achieve. It can be used as an effective measure to prevent frauds from being committed by timely detection of suspicious activities. It can also be used for detection of these frauds and crimes after their commission. Thus, e-discovery is both preventive and curative in nature.

E-discovery must be regulated by a legal framework to give it legitimacy. E-discovery law in India has still to be enacted. Although India has the cyber law of India incorporated in the form of information technology act 2000 (IT Act 2000) yet it is far from being sufficient for cyber forensics and e-discovery purposes. Suitable legislation in this regard is urgently needed in India.

E-discovery is also relevant for law enforcement, lawyers and judiciary. Legal and judicial fraternity of India needs a temperament for scientific knowledge. This includes knowledge about cyber law, cyber forensics, digital evidencing and e-discovery.

E-discovery requirements for banks in India have also significantly increased due to the recent guidelines by Reserve Bank of India that requires banks in India to exercise cyber due diligence and adopt sound cyber security practices.

E-discovery can also supplement due diligence, incidence response and periodic inspection of computers and other technology related systems. This helps in timely detection of frauds and other crimes.

We have a single techno legal e-courts training and consultancy centre of India. It is managed by Perry4Law Techno Legal Base (PTLB). It provides techno legal research, training and education in the fields like digital evidencing in India, e-discovery in India, e-courts training in India, judges training, etc.

Chief Information Officers (CIOs) Made Mandatory For All Banks In India

Reserve Bank of India (RBI) executive director G Gopalakrishna recently said that all banks would have to create a position of chief information officers (CIOs) as well as steering committees on information security at the board level at the earliest. G Gopalakrishna further said the banks will have to implement the facility of "second factor verification" at merchant establishments and ATMs shortly.

The requirements are arising out of the two recently released documents by RBI. The first document is a report of its working group on information security, electronic banking, technology risk management, and cyber frauds. In this report, the RBI mandated cyber due diligence for banks in India.

The second document is known as information technology vision document for 2011-17 (IT Vision 2011-17). The vision document envisages that all banks in India now would have to create a position of CIOs as well as steering committees on information security. These requirements must be fulfilled at the highest level of board of directors. The vision document also requires that while following the above, legal aspects relating to the provisions of the Acts such as Payments and Settlement Act, 2007 and IT Act, 2000 may be strictly adhered to.

This requirement of CIO/CTO is arising because many small banks do not have a designated CTO and also do not have a clear framework on information sharing. RBI is interested in gradual shift to an online system where it can access all the information from the main server of the bank once the RBI's IT Vision is implemented. Those banks having no CIO/CTOs and a steering committee are now required to have these requirements fulfilled as soon as possible.

The objectives of vision document are to ensure the use of information technology beyond core banking and into newer areas like management of information systems (MIS) and better regulatory reporting.

The vision document has been prepared by a high-level committee chaired by deputy governor K.C. Chakrabarty. The vision document also recognises the growing operational risks arising out of adopting technology in the banking sector like use of Internet banking, which could affect financial stability.

If the vision document is fully implemented, it will ensure that the RBI gets access to the servers of all banks, including foreign banks so that it has access to all the banking transactions. Further, the vision document also emphasises on the need for internal controls, risk mitigation systems, fraud detection/prevention and business continuity plans. These are good banking reforms and they must be implemented by banks in India as soon as possible.