After Mr K C Chakrabarthy, the former Executive Director of RBI, it appears that the mantle of Cyber Security has passed on to Mr R. Gandhi, Deputy Governor, who appears to be pushing the Commercial Bankers for better Cyber Security.
Speaking recently in a Conference on “Protection of Critical Infrastructure” in Mumbai, Mr Gandhi has pointed out five important focus areas for bankers which he has termed as “Five Commandments” which should, if followed by Bankers bring about a lot of improvement to the state of “Secure Banking” in India particularly in the light of new licenses being issued in the industry.
In a hard-hitting speech (See the full speech here), Mr Gandhi has punched several wise observations and empathized with the customers by recognizing that
“…while the Banks may have better resilience in terms of risk mitigation structures, and ability to absorb the losses and expenses, the customers may not be so privileged. A relatively small value fraud of a few thousands of rupees may endanger the purchase of basic needs and most customers may be ill-equipped to effectively handle the security features provided with the service”
This is an excellent observation coming from a person who has risen to the present position from a small town in Tamil Nadu, namely Tirunelveli. (Incidentally, Tirunelveli is the town from which the fighter Mr S.Umashankar emerged to challenge ICICI Bank in a Phishing Fraud which became history when the TN adjudicator held the Bank liable for Phishing… though the continued apathy since 2011 of successive Central Governments and CJI s has kept the fight incomplete).
In highlighting the defense strategies, he has rightly recognized that the liabilities and responsibilities of the financial Intermediaries by stating that..
“…ecosystem for financial transaction not only includes banks and their customers, but also network service providers, IT infrastructure providers, providers of security solutions and providers of the end-point device which is used for accessing the financial service including the ATMs which may or may not be bank-owned/managed devices”.
Highlighting the need for Cyber Security Preparedness, he has also indicated his five commandments for safety in Banking namely
- Thou shall know your customer
- Thou shall know your employee
- Thou shall keep your IT Systems up-to-date and free of all risky components
- Thou shall provide for maximum IT Governance
- Thou shall ensure continued Cyber Security Awareness
Mr Gandhi continued to also list some of the recent initiatives that RBI has introduced in this regard and referred to the June 2, 2016 guidelines for Cyber Security framework for Banks. Among other things he has pointed out the important of Cyber Incident Information sharing and expressed confidence that Banks will respond adequately to the initiatives suggested by RBI.
As a long time critic of the E-Banking safety in India, I appreciate the tone and the content of this speech which indicates that RBI is really serious about Cyber Security this time.
However, knowing that in the past the IBA as an industry body has always put commercial interests before the security requirements and ignored the dictats of RBI and its initiatives have all fallen by the way side. So, we need to watch out further developments before celebrating the new Cyber Security thrust.
I would however urge Mr Gandhi to continue his push with the following additional initiatives.
- Make Cyber Insurance mandatory for all new Banking licensees as a part of the approval criteria.
- Enforce the existing mandate on Cyber Insurance contained in June 2001 Internet Banking guidelines on present Internet Banking licensees.
- Direct Banks not to harass the cyber crime victims by prolonged legal battles across multiple Courts and enforce compulsory compromises at a maximum liability of 10% of the loss to the customer.
- Punish Bank’s own negligence in KYC facilitating the frauds by fining them heavily and create a fund for providing “Cyber Security Fraud Guarantee” to the customers.
- Ensure that the aggregation of risks under the proposed UPI scheme and the user of Aadhaar based DigiLocker schemes is adequately dealt with to avoid adverse impact on Indian Banking systems.
- Ensure that Consumer Voice is heard in RBI policy making by providing representation to Cyber Security Activists in RBI’s policy recommending working groups.
- Improve the Banking Ombudsman scheme to ensure quick settlement of disputes involving Bank’s negligence even when frauds are the root cause.
- In the light of the proper functioning of the Adjudication System, RBI should explore setting up of an external multi member online Adjudication/Mediation/Arbitration body for quick, low-cost resolution of all Bank disputes as a replacement or in addition to the Ombudsman scheme.
- Ensure implementation of its guidelines under Cyber Security Framework and the earlier April 2011 E Banking security guidelines without fail and penalize the Bank Boards if they fail to do so.
Looking forward to a more secure E Banking era.