Since June 2016, there have been a flurry of activities in the RBI as regards formation of security guidelines that apply to the Financial Services Industry in general in India and Banking in particular.
First, there was the circular regarding “Cyber Security Framework” which required Banks to set up a “Security Operations Center” (SOC) and monitor even “Zero Day Vulnerabilities”. Though the earlier information security guidelines of April 2011 following the GGWG (G Gopalakrishna Working Group) recommendations did press for many information security initiatives that the Banks should have taken which could be interpreted to include what is now being stated, none of the Banks had taken the GGWG guidelines seriously.
Now RBI has taken a decisive step to alert the Board Members in Banks and more particularly the Independent Directors to not only take stock of the implementation status but also confirm to RBI that they have indeed done so. Additionally, Banks have been specifically directed to place the RBI circular and a Gap Analysis before the Bank’s board and send a report to DBOD, before July 31, 2016. They have also been given the deadline of September 30, 2016 for implementation of the Cyber Security Framework and confirmation to RBI.
Setting up of an SOC and more particularly to watch out for “Zero Day Vulnerabilities” calls for a high level of expertise, technical enablement as well as investment by Banks. Except the top few Banks, others may neither have the expertise nor the technical know how to maintain the SOC as required. There are also many smaller Banks which may not have the necessary resources to buy technological services required for the purpose. This has already sent most CISOs in Banks to a huddle and a feverish activity amongst those Banks which have the capability to understand the implications.Many others are likely to continue in their mode of “All is Well” and “Ignorance is Bliss” until they are jolted again by another followup initiative of RBI if there is one.
Following this circular, RBI also released a “Vision Document” for the “Payment and Settlements Systems Industry” consisting of the a focus on “Prevention of Frauds” in the payments eco-system which includes many private sector players who are today acting as business associates of Banks. A responsive regulatory framework was suggested to be developed which included new policies to be developed for the sector.
These measures clearly indicated that Banks would significantly increase their oversight on private sector FinTech companies who were hitherto working in the background while fraud risk exposure at least in perception terms was absorbed by the front end Banks. Though legally, under ITA 20008 the back end service providers were exposed to the risks of frauds, due to general ignorance of the customers and the Banks, they were not called upon to bear the risk of fraud losses.
This situation will now be changed. RBI has identified measures to increase the accountability of the back end service providers and even indicated that RBI may directly retain the power of regulating the back end service providers such as Payment Gateways, Authentication Providers, Customer Aggregators etc. While RBI may wait until it takes a direct plunge into regulating the intermediaries who work between the Banks and the End users of different services, it will definitely bring sufficient pressure on the Banks themselves to increase their supervision of the back-end service providers.
As a result, the back-end service providers which include many Start Ups in the FinTech industry will start feeling the heat of regulatory oversight soon. Since most regulations translate into a Techno Legal Compliance exercise at the service provider’s level, it will require additional investments which might not have been budgeted earlier. The VCs who have funded these companies will also have to take note of the new regulations and ensure that their funds are protected. In case these Tech Companies continue to ignore the compliance requirements in their operations, they are likely to face unpleasant surprises soon.
In a bid to develop policies that may be required for such regulation, RBI has recently set up a working group under the Chairmanship of Mr Sudarshan Sen, Executive Director. (We shall call this the SSWG).
It is time that the FinTech industry takes note of this development and tries to understand the implications of the setting up of the SSWG and its likely recommendations that may follow. The working group has been asked to submit its report in the next 6 months. Since this will be one of the first Working Groups that will define the role of FinTech companies in India, it will be a trend setter. But if the trend is set in a direction that the FinTech companies consider as incorrect, then their business will be adversely affected.
We may take note that in the recent past the Taxi Aggregators and the E Commerce Companies were at the wrong end of new regulations from politicians who did not understand the business. Since these companies also did not understand the mindset of the regulators, they failed to defend their interests and allowed regulations that are dysfunctional. As a result, a “Taxi Service Aggregator” today is considered as a “Taxi Operator” and E-Commerce “Market Place” is considered as a “Wholesaler”.
The next axe will fall on the Health Information App companies and the FinTech Companies. If they donot wake up and take measures to protect their interests, they will regret.
I am not suggesting here that the FinTech companies should manipulate the regulatory framework contemplated by RBI. But I am surprised that FinTech companies donot find a representation in the SSWG though the decisions taken there could affect them. There is a need for the FinTech Companies to ensure that their voices are heard in the regulatory circles.
While organizations such as CII or FICCI ensure that policies are not generally detrimental to the industries they represent, FinTech Companies donot have a proper industry body to represent them. NASSCOM is also not represented in the SSWG and even if represented, it is not a reliable representative of the FinTech companies which are mostly small and micro enterprises.
There is therefore an immediate necessity for these entities to come together and form a body of “FinTech entitites” that understands the needs of this industry segment and represents it to the right authorities.
Since the SSWG has already been formed and in the next one month will start collecting data about the industry, it is high time for the FinTech entities to formulate their strategy of presenting a collective industry face to the SSWG and ensure that they are heard fairly.
I urge industry players to take the initiative and form a “Society of FinTech Entities”, enrol members, develop an industry representation that can be presented to the SSWG. The society can propose certain “Self Regulation” that would pre-empt any unreasonable regulations which may otherwise be imposed on them.
Since Bangalore is a hub of Start Ups and there are many FinTech companies working here, it is a food place to start with. If the industry players are interested in coming together to form such a “Society of FinTech Entities” and need any assistance, Naavi would be happy to assist them.