We have been following the discussions on how the Unified Payment Interface introduced by RBI has created one big security risk where the telecom links have been provided a direct access to Banking transactions server through execution of USSD codes.
Though the authorities claim to have adequate security, customers are yet to be convinced about whether RBI and the Banks are saying the truth.
Does it mean that Banks and RBI can lie?
I would like consumers to make their own conclusions from the following RTI exchange between one Mr Sisirkumar and RBI.
(P.S:Though this RTI pertains to ICICI Bank, the issues are expected to apply to other Banks also)
Mr Sisirkumar of Vijayawada made a simple RTI Query to RBI raising the following questions.
- Details on decision taken by RBI to let Banks use Social media and mobile applications.. and how RBI arrived at a decision that this does not violate the privacy of customers or their data.
- Details on specific documents related to approval given by RBI to ICICI Bank limited for creation of the following accounts.
3. Details of decision taken to permit ICICI Bank to do social media banking
4. Copy of RBI guidelines on how online presence can be conveyed to customers
5. A copy of the results of the security and privacy audits conducted by RBI
6.Details of the official RBI accounts on social media and the relevant act as per which they have been created and their purpose.
RBI has replied to the above RTI as follows:
Reply for query1:
” Department of Payment and Settlement Systems, Reserve Bank of India (DPSS, RBI) has not issued specific instructions to Banks on areas raised in the query. However, Banks have been advised vide our circular on mobile banking which is available on the website of RBI at link:
Para 2(ii) of Annexure I advise that social media can also be used by the Banks to build awareness and encourage customers to register on mobile Banking as one of the measures of customer awareness programs”
Reply for query 2:
“DPSS, RBI has not issued any such approvals to ICICI Bank Ltd”
Reply for query 3:
“No Specific instruction has been issued to ICICI Bank”
Reply to query 4
“DPSS has not issued any instructions in this matter”
Reply to query 5:
“DPSS has no information in this matter…. Your query has been forwarded to CPIO..to provide information if available..”
Reply to query 6:
“DPSS, RBI has no information in this matter….Your query has been forwarded to CPIO…”
Subsequently regarding query 6, M.Nandakumar, CPIO replied on January 12, 2016 stating :
“We have no information”
Another reply dated January 11, 2016 signed by Ms Alpana Killawala , CPIO stated for the same query,
“From April 13, 2015, the Reserve Bank of India has presence on two Social Media sites namely, You Tube and Twitter. It is an initiative taken by Reserve Bank for enhanced outreach and real time engagement with the public in addition to engaging with them through traditional media.
Purpose: For wider dissemination of information about RBI policies, rules and regulations”.
On query 5, a reply dated January 15, 2016, Subhash Chandra Mishra, another CPIO replied
“No Security or Privacy audits of mobile applications of banks are done by us. However, the level of adherence to extant guidelines issued by RBI are examined during the course of annual inspection of banks.”
From the above it is clear that the DPSS which issues guidelines on the use of technology is not even aware of the need for security and privacy audits and the CPIOs are completely confused about the state of affairs.
The replies confirm that RBI has not even considered security and privacy audits of mobile apps and have not recognized the security risks associated with the use of Twitter and Facebook for conducting banking transactions such as balance enquiry and transfer of funds. Perhaps they are not even aware that some banks are using Twitter handles to interact with the Banking servers and execute fund transfer requests.
As an ex Banker and lot of respect for RBI (by tradition), it is a big surprise for me to note the level of incompetence at the RBI.
This in fact corroborates some of my earlier concerns that I expressed in respect of use of USSD codes for Banking transactions by NPCI.
I am awaiting Banking security experts to react to what we have indicated here particularly to the fact that the mobile apps have not been audited by RBI.
In the earlier guidelines IDRBT was supposed to clear any banking related applications. Obviously, this guideline is being flouted by Banks and RBI has not taken any corrective action.