The Reserve Bank of India in a press release dated December 11, 2018 imposed a monetary penalty of Rs 1 crore on Indian Bank for non compliance of its directions under the Cyber Security Framework of 2016 and the Master directions on Frauds reporting.
RBI has in the process clarified that
“This action is based on deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers.”
Considering that in the past RBI has been content with fines of Rs 5 lakhs and Rs 10 lakhs for failures in KYC, the imposition of a penalty of Rs 1 crore appear eye-popping.
It is certainly a departure from the past in the fact that the fine is relatively significant and it is for “Non Compliance” of an order related to “Cyber Security”.
One of the complaints we always had about Banks is that they donot take the RBI’s instructions seriously and RBI is content in just sending circulars but not imposing its decisions on the Banks. We have often pointed out that Banks like ICICI Bank and SBI are so powerful when it comes to policy making by RBI that often it is the Banks which dictate the terms to RBI rather than the other way round, through the combined strength of the Banks through the IBA.
It is therefore refreshing to note that this time RBI appear to say that it is serious that its directions are taken seriously.
Many of the Banks openly declare that they would provide only such security as is “Commercially Feasible” and make security a trade off with its own profits. This fine therefore does raise the bar a little higher than what it was earlier.
However, will this be a sufficient deterrent?… In our opinion, not necessarily…for the large Banks. Afterall this fine of Rs 1 crore will be an indirect burden on the public since the Bank will factor it in its service charges or simply let it be borne by the shareholders.
When the ATM security was in public discussion a few year’s back, Banks started charging extra money per transaction to cover the security guard’s cost etc., but soon the charges remained while the services promised never happened. The same thing will happen now and Banks will pay off the monetary fine from their profits and except for a small ripple, continue to function the way they do now.
If real improvements are to be brought in the service of the Banks, a part of such burden should be imposed on the officials who were negligent in implementing the security guidelines. Such responsibilities need to be imposed even on the Board of Directors, the CMD as well as the CISO. The fine can be in the form of a percentage of their salary to be recovered say for about a year so that every month they are reminded of their dereliction of duties. Even the Board of Directors need to be imposed a penalty in the form of an individual fine out of the sitting fees or remuneration.
I hope the RBI will take note of this suggestion for the future.