New Banking Licensees- Beware of IT Companies who want to trap you.

RBI has now invited applications for new banking license from private sector which has attracted 26 aspirants to make an application. Many of these are thinking of building their Banking empire on the edifice of technology.

Already, Indian Banking system has become extremely “Technology Dependent”. In fact RBI is making it mandatory even for RRBs to run on “Core Banking Platform”. RBI looks at Core Banking Software systems as a means of better information collection which may help RBI in the administration of its monetary policies. However, in the process RBI is forcing a banking platform which is unfamilar to the Bankers unmindful of the unsafe nature of the software.

The “Eurograbber” risk that has resulted in more than 36000 banking frauds across the European countries and is threatening to enter India. Once it hits the Indian shores, it can destabilize even the strongest of the strong Banks who are operating in India at present.

At this time the new Banking entrants appear to present an even higher risk for the Customers than the existing Bankers since their technology dependence is expected to be higher.

One of the reasons why these new Banks will be more technology dependent is that they will chase profits in a competitive world as late entrants they need to make money by being more efficient. This of course is a good strategy and perhaps even inevitable.

Even before the applicants can be sure about getting their licenses, the IT Companies are already behind them to sell their “Core Banking Applications”. Some of them may even like to be called “Partners” is setting up the new Banks. This again is a genuine marketing activity and is to be expected.

However in the process of listening to the high profile marketing pitch from IT Companies, the new Banks should be aware of the dangers of setting up their Banking entity as a dependent entity on the technology platform supplied by the IT Companies.

We must remember that all these companies are supplying “Core Banking Systems” that have not only failed to stop the Euro grabber type of Trojans but are also not cyber law compliant since they are using “Password based authentication systems” instead of “Digital Signature Based authentication systems”.

Since many of the new Bank license applicants are not fully conversant with the Information Risk environment in the Banks and at least some of them are new to the Banking system itself, they could end up becoming over dependent on the software in driving their Banking business.

Bankers should understand that it is not Infosys or Oracle or Tata Consultancy that will determine how the Banks need to carry on their Banking activities. IT is only a tool with which Banks do their business as defined by the Banking regulation act 1949.

In the past these IT Companies have hoisted under performing software on the industry which is one of the root causes for the information risk inherent in the industry today. These IT companies sell software which is convenient to them and not what is safe for the customers. This is the reason why the “Eurograbber” or “Zeus” type of trojans can make merry in the system.

Unless the Bank owners demand a “Secure Banking Software” as a pre-condition these IT Companies will continue to make money at the expense of Bank customers.

Even the Banks need to ensure that they have enough internal expertise in “Core Banking” with which they can evaluate the functional aspects of a software and identify the security loopholes. Unfortunately many of the new generation Banks think banking to be a “Customer Acquisition Marketing program” and engage professionals who are good in marketing but have little knowledge of the domain. They consider each customer as a “Profit Center” and try to maximize the profit per customer. In the process, if the customer collapses, they donot mind and move onto the next customer.

We need “Customer Centric Bankers” who keep the interest of long term customer relationship as the key principle of banking and convert it into software specifications. The present situation where Banks are reluctant to use Digital Signatures for banking authentication and ignore the need to use “Real time risk management software” are indications of the fact that most Bankers are not able to understand the Banking risks and how it translates into information risk in a technology banking area.

Though there has been an improvement of information security practices in some Banks in the last 6 months, many Banks are far below the expected level of security.

The new Banking license aspirants should therefore avoid falling a prey to the IT Companies by accepting their proposals on the dotted line and demand that the software vendors assume the responsibility for frauds arising out of technology issues.

Customers are indifferent as to whether the technology vendors bears the risk of technology frauds or the Bankers but are keen that RBI makes Cyber Crime Insurance mandatory for the new Banks as a part of the licensing regime.

Older Banks may be happy with the proposal since it will create an additional barrier to the new Banks. It is left to the RBI to decide if Cyber Crime Insurance should be made mandatory even for the existing Banks. But even if Cyber Crime insurance is not mandatory for existing Banks and becomes mandatory only for the new generation Banks, it could become a factor of differentiation with which new Banks may promote their deposit products.

Whether the Banks are happy or not, if RBI makes Cyber Crime Insurance mandatory for new Banks, it would make the customers of the new Banks happy.

This should also add to the viability of the new Banks amidst the pressures of Financial Inclusion and Priority Sector lending. Since the technology platform of these Banks is being created afresh, it is possible for the Cyber Crime Insurance industry to work in close alliance with the technology vendors, Information Security professionals and the user Banks and ensure that the systems are tweaked to improve the security levels to levels higher than at present.

We can therefore look for more interesting and exciting times ahead for the Banking industry in India.

Naavi

Related Article:

Indian IT companies chase banking licence hopefuls

Earlier articles on New Banking License

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Bank, Cyber Crime, RBI and tagged , , , , , , , . Bookmark the permalink.

1 Response to New Banking Licensees- Beware of IT Companies who want to trap you.

  1. steins says:

    Very good article sir,
    infact one critical question remains that why is our banking regulator – RBI hasnt taken any stringent action against banks that have still not followed any proper cyber security measures even after the exhaustive report by the RBI on security, which would set an example against other banks and banks that are to come to existence???
    making recommendations and stating that these are to be followed by blah blah date and the date passes on and no action is taken? why is this so?
    at the end the customer is the one who is to suffer from any data breach/fraud.
    that is what we are seeing from recent incidents.
    This indirectly leaves the message that no matter fraud takes place, banks are cyber safe – cosmetically.
    Now if the new banks come this cycle will continue, as the IT service providers are the same, the same tactics will be used to sell their support systems and as usual, the voice and concern of security pros will be hushed, for the sake of “turnovers”
    For such ignorant people, security is limited only and only to anti virus, firewalls and some ridiculous passwords, but not on digital signatures as you have pointed out.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.