RBI has been advising Banks from time to time on the information security in Banks.
It was immediately after the ITA 2000 was notified in 2000 that RBI set out to first formulate its guidelines for cyber law compliant information security in Banks. It constituted the SR Mittal Working Group (SRMG) which gave its report in 2001. On June 14, 2001, the first operative “Internet Banking Guideline” was introduced by RBI.
Then again after ITA 2000 was amended in 2008, RBI constituted another committee on Working Group on Information Security, Electronic Banking,Technology Risk Management and Cyber Frauds more popularly knwon as the GGWG (G Gopalakrishna working group). The recommendations of the committee was notified on April 19, 2011. These have been discussed at length in Naavi.org here.
In both the SRMG and GGWG, there were attempts by representatives of Banks to push in recommendations that favour Banks visa vis the customers regarding liability on cyber frauds. Both times their efforts were unsuccessful. In the 2001 guidelines, RBI indicated that if Banks should pick up liability of cyber frauds and obtain insurance to cover their own risks. By the time GGWG came up the historical S.Umashankar Vs ICICI Bank judgement of the Adjudicator of Tamil Nadu was available and RBI reiterated that Banks may face liabilities under ITA 2008 in case of Cyber Frauds.
Close on the heels of the GGWG, on August 3, 2011 another important recommendation came forth in the form of the Damodaran Committee on Customer Service. This committee made several important recommendations to safeguard the interests of customers in the E banking scenario.
Though the banks had failed to block undesirable recommendations in the SRMG and GGWG, they succeeded in ensuring that Damodaran Committee report was not notified since August 2011 till date. At the same time RBI did not reject the committee’s report also. For the last two years there is perhaps an internal struggle going in RBI with one section trying to push it through and the Banker’s lobby trying to stall it.
The February 28 2013 guidelines on Information Security issued now indicate that finally some action has been taken based on the Damodaran Committee report though no mention of this report has been made during the release of the guideline.
It is therefore interesting to observe what were the recommendations of the Damodaran Committee and how they compare with the 18 recommendations made under the February 28 guideline.
The following document tries to list the recommendations of the Damodaran Committee along with the February 28, 2013 guidelines.
These now become part of the Banking regulations that need to be considered in any future GGWG audit. Additionally, the new guidelines have made it mandatory for Banks to look at PCI-DSS compliance which need to be applied not only at the credit card merchant’s level but also at the ATM stations. They also become relevant for the GGWG audit.
Ujvala Consultants Pvt Ltd which is a specialized Information Assurance Consultancy company engaged in GGWG Compliance audit will be integrating these recommendations into its audit standards along with the Basel III recommendations of “Operational Risk Assessment” since “Legal Risks” are part of the operational risks under Basel considerations.
We need to wait and see how the new guidelines which are to be implemented before June 30, 2013 be followed up by the RBI. We also need to wait and observe if other recommendations of the Damodaran Committee will also be separately notified in future in some form.