China Banking Regulations Commission (CBRC) has notified guidelines to the Banking industry to use “Secure and Controllable Technology” to strengthen the Internet based Banking system. This guideline has the potential to bring significant changes to the IT industry in China and also the vendors from outside China.
According to the guideline it would be mandatory for Banks in China to use “Secure and Controllable IT Products at a minimum rate of 15% increase each year and to reach 75% by 2019. The criteria for determining the status of a product as “Secure and Controllable” have been detailed in the guideline and includes the following.
1. IT Vendors are required to establish own R&D service cetners in China
2. Source code should be filed with CBRC
3. Risk of Product supply chain should be controllable. (i.o.w. there could be a need for more local production in the entire supply chain)
4.The IP rights in respect of certain products could be subordinated to the local requirements. (i.o.w. provisions similar to compulsory licensing may be used)
As a result of these regulations, it would be necessary for the following:
1.Supplier/Service Contracts will have to incorporate necessary compliance clauses.
2. Banks will have to deploy 5% of their R&D budget on deployment of Secure and Controllable IT products
3. Banks need to subject themselves to an annual audit by CBRC to determine compliance.
As a result of these changes, Indian IT companies having operations in China with exposure to Banking industry need to be prepared for a compliance related modification of their business contracts. If they fail to adapt, the supply contracts may be terminated.
I think RBI needs to pick up a few lessons from these guidelines since they have mindlessly allowed domination of Chinese products in the Indian Banking industry exposing the country to a great disadvantage in the event of a Cyber War. Banks should also understand that there is national interest beyond the need to increase their bottom line.
We remember that during the UPA regime, a Security Certification Center was established under the guidance of IISC Bangalore to test IT products from China in particular which were suspected to have OEM-back doors, but was actually sponsored by Huawaei !
I hope the National Cyber Security team in India takes note of these developments and initiate appropriate actions.