The recent Bank Fraud in Mumbai in which an amount of Rs 2.41 crores was transferred out of RPG group’s account with Yes Bank coming close on the heels of US$45 million Card fraud in USA should raise the concerns of RBI on the security status of E Banking in India.
The Yes Bank fraud occurred in the RTGS system of a company . In February a similar fraud of Rs 1 crore had occurred in the same Bank indicating a systemic failure. It is easy for the Banks to dismiss the issue as a negligent handling of the password. But this is only an excuse and cannot be considered as a final word. The threat landscape in Internet Banking is so vibrant that viruses and trojans are lurking in the cyber space and could sneak into a system despite all the care that a customer can exercise. If Stuxnet virus could get into high security nuclear and defense installations, we can understand that penetrating a corporate computer cannot be considered as rocket science.
The systemic failure therefore is in the Internet Banking system that relies on the password based access which could authorize pay out of Rs 2.41 crores within minutes to different beneficiaries across the country. There is also the failure evident in the Banking system which enables several branches to keep maintaining mule accounts to which 2.41 crores could land and be withdrawn within a short time.
Further, if we look at the $45 Million fraud referred to earlier in which the security system of two Indian card processing companies were breached, it is evident that a similar security breach in the Bank’s system cannot be ruled out. Even in the Yes Bank instance it is stated that the transactions are processed by Wipro as an outsourcing agent.
We therefore need to investigate the staff of Yes Bank, their outsource agents and any body else who may be connected with the maintenance of the security of the E Banking system.
This is not to conduct a witch hunt on the hapless bank but to ensure that there will not be more such Banks landing into difficulty in the coming days.
RBI therefore should step in immediately and take stock of the outsource dependencies of the Indian Banks. In case the agencies which have a history of security breach incidents are associated with the Banks as outsource partners, then RBI needs to act decisively to tighten the security vigilance on these outsource partners.
It may be recalled that the history of HIPAA-HITECH Act indicate that the US health Card regulators who had originally left Business Associates to be regulated with contractual agreements with the Covered Entities have now moved to bring them under direct supervision of the HHS.
Similarly, time has come for RBI to exercise direct regulatory control on the outsource partners of Banks who present a risk to the system.
As a first step, RBI needs to shoot out a survey form to all Banks to report the particulars of their outsource partners and the measures that the Banks have taken to ensure compliance of the IS guidelines. There needs to be an exclusive “Outsourcing Partner’s Audit” which RBI needs to initiate. Like HHS conducting mandatory audits on a select number of Covered Entities each year, RBI should conduct mandatory audit on the out source partners each year and dis-accredit those who donot practice adequate security measures.
RBI should not rely only on audit certificates being produced by either the Banks or the outsource agencies as it is clear that the agencies involved in the recent frauds were PCI certified and yet were insecure.
Many Banks are complacent with an ISO 27001 certificate which though a good beginning is not adequate to ensure security. Hence though Banks may be encouraged to undertake any type of audits on their own either ISO 27001, COBIT, PCI or ITA 2008 compliance etc., RBI should conduct its own audit to ensure that an Information Security Culture is established in the Indian Banking system.
Presently, RBI inspectors may not have adequate skills or capacity to conduct Information Security audits and hence it is natural for them to rely on the audits conducted by the Banks as an indication of compliance. However it is necessary to train the RBI inspectors to understand the ISO 2700, PCI or other audit reports and quiz the Bank executives to pry open any cosmetic window dressing the Bank might have indulged in.
If immediate action is not initiated and a fraud of the nature that hit USA occurs in India, then the entire Indian Banking system will be in jeopardy. It could even destroy the Indian Banking system and at the same time provide enough funding for terrorists for the next decade to carry on their proxy war on India.
I urge RBI to start thinking in the direction of finding a remedy to the emerging threat..