Mr Raghuram Rajan, Governor of RBI sprang a surprise during the press interaction on 14th May following the Board meeting at Goa, by hinting at setting up of a subsidiary to meet the Cyber Security requirements of the sector.
This in fact is great news for the sector and we hope that the idea is taken forward in the right direction.
Our own perception about the tenure of Mr Raghuram Rajan has been that so far he has been focussing more on the monetary policies and is actually neglecting the “Banking Regulation” aspect. This is the first time that RBI under Rajan has expressed a recognition of the fact that “Cyber Crime Risks” are a concern.
The undersigned has repeatedly pointed out that RBI does not walk the talk when it comes it its policies on Cyber security. There is Internet Banking guidelines of June 2001 which mandated Cyber Crime insurance which Banks never implemented. There is April 2011 guideline following the G Gopalakrishna Working group committee report implementation of which is also lagging behind. The Damodaran Committee report was sidelined and not notified. Many guidelines on ATM security have remained unimplemented. RBI has never proceeded with suitable penal action which would have instilled a greater sense of responsibility in Banks. The undersigned has a personal experience of how RBI ignored taking actions against ICICI Bank, PNB, SBI and AXIS Bank which were in the forefront of bullying the Internet customers who had suffered losses on account of Cyber Security failures.
At the same time, even before securing the more than decade old Internet Banking system, Bankers have been able to push advanced cyber Banking products such as Social Media Banking. Mobile Banking itself has moved into the second generation “App based Banking” which will revolutionize the way people use the Banking system. Recently we had lot of legal controversies surrounding App Based Taxi services. Similar issues may in future arise if RBI does not handle the App Based Banking regulations properly.
There is no doubt that technology will make a lot of difference to Banking. In the recent press interaction, Rajan repeated the words which have been part of my presentation slides for a long time that “Banking no longer belongs to Bankers. It belongs to Technologists”, the words of wisdom first uttered by Mr A.T. Panner Selvam, previously my senior colleague in Indian Overseas Bank, who later on went on to become the Chairman of other Banks.
But the undersigned has also repeatedly pointed out that any innovation in technology cannot be at the cost of “Security” of banking transactions using Bank customers as Guinea Pigs. The mandate for RBI is to manage the Indian Banking system with the core beneficiary being the “Customer”, who is the “Purpose” of Banking as Mahatma Gandhi put it.
In this connection, the undersigned suggested that RBI should make Cyber Insurance mandatory when the new Banking licenses were considered since the new generation banks are likely to have a larger stake in technology and therefore a greater technology risks. Of course RBI ignored such suggestions and did not even make a mention of Cyber Security as part of Bank licensing criteria.
So far, the perception of the undersigned (which I hope is not correct) is that RBI is subordinating its regulatory responsibilities to the commercial interests pushed through by IBA. It is for this reason that some Banks are pushing technology that is not compliant with law and exposes customers to greater fraud risks. If Mr G Gopalakrishna the former ED had not been vigilant, some of the Banks which were members of the working group headed by him would have pushed through certain suggestions which were bad in law.
During some of my interactions with RBI through RTI applications, I have even been told that RBI does not collect fraud data which can identify Phishing type of frauds from loan frauds. A recent RTI has given at least some information on the number of Cyber Crimes though there is no consistency with the figures of similar nature revealed by the IT Minister in the Parliament. The Cyber Crime metrics in banking industry is still unreliable and is a big hindrance to the development of Cyber Crime Insurance industry.
I hope all these apprehensions are things of the past and RBI has now recognized the need for a change of heart and recognized the need to address Cyber Security as a core issue. We therefore warmly welcome the development suggesting that there could be a focus on Cyber Security through a separate IT division.
The exact shape this suggestion will take needs to be watched.
We know that there is already an institution such as IDRBT under direct control of RBI with a reasonable expertise in technology and significant contribution to the Indian Banking system and its technology developments. Will the new idea be an extension of IDRBT? or will there be a new Subsidiary? or will there be a new division of RBI? are some of the issues to be decided.
It is necessary that whatever be the status, the focus has to be on “Information Security” and not limited to “Information Technology”.
Presently the division of RBI which supervises payment settlement system has been providing enough impetus to technology through its own policy formulations often ignoring the security concerns. It will continue to promote IT and no new division is required for this purpose.
There is also a “Risk Monitoring” Department which does some good work on protecting consumer interests though little away from the technology aspects.
It would therefore be appropriate for RBI to consider a separate division or subsidiary which is called “Information Security” division/subsidiary. This division can also set information security standards for the financial sector and also work as CERT for the industry. Such a division can work closely with Cyber Insurers and develop actuarial data to help the industry to develop affordable cyber crime insurance products both for the industry and the individuals.
Also, if the entity is an external subsidiary, how will it be managed? What will the representation of RBI in the board? Vis a Vis the commercial Banks?.. is an issue to be settled.
I have suggested in the past creation of a fund for Cyber Crime loss reimbursement out of the KYC fines imposed from time to time. Such projects can be integrated with the Cyber Crime insurance and the activities of Information Security of the proposed department. In such a case multiple divisions of RBI may have to be represented in the activities of this new division/subsidiary.
Presently, the IT initiatives of RBI are often dictated by ICICI Bank and SBI. These Banks in pursuance of their commercial objectives tend to relegate Information Security to “What is Commercially Feasible”. Some vendors also wield enormous influence in the decisions. We apprehend that there will be an attempt by these vested interests to take over this new “Cyber Security” entity and ensure that it will also dove tail the commercial interests.
Mr Raghuram Rajan who appears to be dependent on his other colleagues on the subject of Information Security, should ensure that he is not misguided by vested interests in implementing these new Cyber Security initiatives.
I request all Information Security professionals to keep track of the developments in this regard and raise red flags when required.